Windows KDC Proxy RCE Vulnerability Allows Remote Server Takeover

A recently patched remote code execution (RCE) vulnerability in Microsoft Windows’ Key Distribution Center (KDC) Proxy implementation allows unauthenticated attackers to take control of vulnerable servers through manipulated Kerberos authentication traffic.

Designated CVE-2024-43639 and rated 9.8 CVSS, this critical flaw stems from improper validation of message lengths during ASN.1 encoding operation, enabling memory corruption attacks.

The vulnerability exists in the KDC Proxy component responsible for forwarding Kerberos authentication requests between clients and domain controllers.

It primarily affects enterprise environments using Active Directory with remote gateway services like RDP Gateway.

Attackers could exploit this flaw by tricking the KDC Proxy into connecting to a malicious domain controller that returns specially crafted Kerberos responses containing oversized length values, as per a report by Trend Micro.

Successful exploitation grants SYSTEM-level privileges on the target server.

Technical Breakdown of the Vulnerability

KDC Proxy Message Handling

The KDC Proxy uses ASN.1 encoding rules to wrap Kerberos messages in HTTPS-formatted communications. The protocol defines a strict structure for these encapsulations:

KDC-PROXY-MESSAGE::= SEQUENCE {

    kerb-message [0] OCTET STRING,

    target-domain [1] KERB-REALM OPTIONAL,

    dclocator-hint [2] INTEGER OPTIONAL

}

Here, kerb-message contains the Kerberos payload prefixed with a 4-byte big-endian length field.

When processing responses, vulnerable versions fail to validate these length values against practical memory constraints.

Integer Overflow Mechanism

The exploit chain triggers when the KDC Proxy server attempts to encode oversized responses using Microsoft’s ASN.1 library (msasn1.dll).

Critical code paths in KpsDerPack() and ASN1BEREncLength() functions mishandle message length calculations:

Offset  Length  Name         Description

0x10    0x4     len          Kerberos response length (4 bytes)

0x18    0x8     buf          Pointer to response buffer

//During encoding:

1. Compute required buffer size = len + DER headers

2. LocalReAlloc(current_buffer, new_size)

3. memcpy(data, buf, len) // Corrupts heap if new_size < len

By sending responses between 4,294,966,267 and 4,294,967,295 bytes, attackers trigger integer overflows in the buffer allocation logic. This either:

• Shrinks allocated memory via negative wrap-around
• Creates a zero-length buffer when new_size overflows to zero
  Both scenarios enable controlled heap corruption during subsequent memcpy operations1.

Exploitation Requirements and Impact

To exploit CVE-2024-43639, attackers must:

1. Trick the KDC Proxy into connecting to a malicious domain controller
2. Respond with a Kerberos message whose length field exceeds standard thresholds
3. Include valid-looking Kerberos headers to bypass superficial validation checks

Successful attacks grant complete control over the KDC Proxy server, enabling credential theft, lateral movement, and domain privilege escalation.

The vulnerability affects all Windows Server versions configured as KDC proxies, making it particularly dangerous for organizations using:

• Hybrid Azure AD environments
• Remote Desktop Services
• DirectAccess VPN solutions

Detection and Mitigation Guidance

Microsoft patched this vulnerability in March 2025’s Patch Tuesday updates, adding proper length validation to the KpsSocketRecvDataIoCompletion function. Organizations should:

1. Apply KB5035845 (Server 2022) / KB5035846 (Server 2019) immediately

2. Monitor TCP port 88 for responses exceeding 2,147,483,647 bytes (0x7FFFFFFF)

3. Inspect LDAP ping traffic on UDP 389 for anomalous DC location requests

Additionally, implement network segmentation for KDC Proxy servers and review domain controller communication patterns. The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-43639 to its Known Exploited Vulnerabilities Catalog, mandating federal agencies to remediate by April 5, 20251.

Despite Microsoft’s patch, residual risks remain from:

• Delayed patching cycles in enterprise environments
• Potential reverse-engineering of the vulnerability from public advisories
• Legacy systems unable to receive security updates

This vulnerability underscores the importance of protocol validation in security-critical components.

As Kerberos remains the authentication backbone for modern enterprises, continued scrutiny of its implementation details remains essential to prevent domain-wide compromises.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free