CVE-2024-11616
epdlpdrv.sys — Netskope Endpoint DLP double-fetch heap overflow
Summary
| Field | Value |
|---|---|
| Driver | epdlpdrv.sys (Netskope Endpoint DLP) |
| Vendor | Netskope |
| Vulnerability Class | Double-Fetch (TOCTOU) |
| Exploited ITW | No |
| Patch Date | 2024 |
Root Cause
The driver reads a user-supplied buffer length at InputBuffer+0xc twice: once to size a pool allocation via ExAllocatePoolWithTag, then again to set the copy length for RtlCopyMemory. Between the two reads the value sits in user-mode memory with no kernel-side copy. An attacker flips the value between reads -- small for the allocation, large for the copy -- and overflows the heap buffer.
The communication port to epdlpdrv.sys accepts only one concurrent connection, held by the Netskope EPDLP userland service. The attacker must kill that service first to free the port.
Exploitation
- Kill the Netskope EPDLP service to free the driver's single communication port.
- Connect to the port and send a request with a length field at
InputBuffer+0xc. - Race a second thread that flips the length between the driver's two reads -- small value for
ExAllocatePoolWithTag, large value forRtlCopyMemory. - The driver allocates a small buffer, copies too much data, and overflows into adjacent pool objects.
The overflow corrupts kernel pool. In the PoC this triggers a BSOD, but a controlled overflow could target adjacent pool objects for code execution.
Exploitation Primitive
Kill EPDLP service → connect to driver port
→ race length field (small alloc, large copy)
→ heap overflow → pool corruption → BSOD / potential code exec