• Vulnerable U
  • Posts
  • Microsoft Patches Critical RCE Flaw in Windows KDC Proxy

Microsoft Patches Critical RCE Flaw in Windows KDC Proxy

Microsoft has patched CVE-2024-43639, a critical remote code execution (RCE) vulnerability in Windows KDC Proxy.

Author

Newsroom
March 06, 2025

Microsoft has patched a severe remote code execution (RCE) vulnerability in Windows Key Distribution Center (KDC) Proxy that could allow attackers to execute arbitrary code in the security context of the target service. Tracked as CVE-2024-43639, the flaw stems from an integer overflow due to improper handling of Kerberos response lengths.

Security researchers k0shl and Wei from Kunlun Lab’s Cyber KunLun team originally discovered the vulnerability, which was disclosed in Microsoft’s November 2024 Patch Tuesday updates.

Understanding the KDC Proxy and the Vulnerability

What Is KDC Proxy?

The KDC Proxy is a Windows component that allows remote clients to authenticate to an Active Directory (AD) domain using Kerberos over HTTPS. It is particularly useful in environments where direct access to domain controllers is restricted, such as in Remote Desktop Gateway (RD Gateway) and DirectAccess deployments.

The KDC Proxy works by forwarding Kerberos authentication requests from clients to a domain controller. The proxy then receives the Kerberos response from the domain controller and sends it back to the client. This exchange ensures that authentication occurs securely over an HTTPS connection.

How the Vulnerability Works

The flaw in KDC Proxy arises from a missing length check when processing Kerberos responses. When the proxy receives a response from a domain controller, it reads the first four bytes to determine the response length. However, the vulnerable implementation fails to properly validate this length before passing it to internal ASN.1 encoding functions, leading to an integer overflow.

Exploitation involves the following steps:

  1. An attacker sends a Kerberos authentication request to a KDC Proxy server.

  2. The KDC Proxy forwards the request to a malicious domain controller under the attacker's control.

  3. The rogue domain controller crafts a Kerberos response with an oversized length value and sends it back.

  4. Due to the missing length validation, KDC Proxy attempts to process the oversized response, triggering a heap overflow or out-of-bounds memory write.

This flaw can result in remote code execution (RCE) with the privileges of the KDC Proxy service, potentially allowing attackers to execute arbitrary commands, deploy backdoors, or pivot further into a compromised network.

Technical Analysis of the Exploit

Integer Overflow and Memory Corruption

The ASN.1 encoding functions used by Windows to process Kerberos messages are central to this vulnerability. When handling a large Kerberos response, the system encounters two primary overflow conditions:

  1. Heap Buffer Overflow (4,294,967,291 - 4,294,967,295 bytes)

    • The response length overflows a 4-byte unsigned integer.

    • This results in a misallocated buffer that is too small.

    • When the system attempts to copy the response into memory, a heap overflow occurs.

  2. Out-of-Bounds Write (4,294,966,267 - 4,294,967,290 bytes)

    • The reallocation function receives an overflowed size value.

    • Instead of expanding the buffer, it shrinks it unexpectedly.

    • The system then writes beyond the allocated memory region, causing memory corruption.

These conditions make arbitrary code execution possible, enabling attackers to inject shellcode, overwrite function pointers, or escalate privileges within the affected system.

Bypassing Kerberos Validation

The vulnerability is further compounded by insufficient Kerberos response validation. Specifically:

  • The KpsCheckKerbResponse() function, which validates Kerberos responses, can be bypassed if the response’s second byte is not set to 0x7E or 0x6B.

  • This oversight allows attackers to deliver a maliciously crafted response without triggering validation failures, increasing the exploit’s reliability.

Detection and Mitigation

Who Is Affected?

  • Only systems explicitly configured as KDC Proxy servers are vulnerable.

  • Domain controllers are not affected, unless they are also running a KDC Proxy instance.

How to Detect Exploitation Attempts

Organizations should monitor network traffic on TCP port 88, which is used for Kerberos over TCP. Suspicious indicators include:

  • Kerberos responses exceeding 2,147,483,648 bytes (violating RFC specifications).

  • Unexpected outbound connections from KDC Proxy servers to unknown IP addresses.

  • Memory corruption crashes or unusual process behavior within the KDC Proxy service (KDCSVC).

How Microsoft Addressed the Issue

Interestingly, while the root cause of the vulnerability lies in Windows’ ASN.1 library, Microsoft patched the issue in KDC Proxy by adding length validation in the KpsSocketRecvDataIoCompletion() function.

This approach suggests that:

  1. Microsoft may be aware of additional vulnerabilities in the ASN.1 library but chose to mitigate this issue at the KDC Proxy level.

  2. Other Windows components using ASN.1 encoding could still be at risk if they lack similar input validation checks.

Microsoft released a security patch in November 2024 to fix this issue. Organizations using KDC Proxy servers should: âś” Apply the latest Windows security updates immediately.

  • Disable KDC Proxy if not needed to reduce attack surface

  • Monitor Kerberos authentication traffic for anomalies

  • Restrict outbound connections from KDC Proxy servers to only trusted domains

  • Implement endpoint security tools that detect heap overflows and memory corruption exploits.

Conclusion

CVE-2024-43639 highlights the persistent risks of authentication protocol vulnerabilities in enterprise environments. The Kerberos authentication system is foundational to Active Directory security, making flaws in its implementation a prime target for nation-state attackers and ransomware groups.

While no active exploitation has been observed in the wild, this vulnerability poses a significant risk to unpatched systems. Organizations relying on KDC Proxy should prioritize patching immediately to prevent potential remote code execution attacks.

As security researchers continue monitoring for potential exploitation, this case underscores the need for robust input validation in critical authentication services and proactive detection measures to safeguard enterprise environments.

Indicators of Compromise (IoCs) and Threat Hunting Queries

For organizations looking to monitor potential exploitation, security teams should:

  • Inspect Kerberos traffic on TCP port 88 for anomalous large message sizes.

  • Look for crash logs related to KDCSVC in Windows event logs.

  • Utilize endpoint monitoring tools to detect heap corruption or out-of-bounds memory writes.