Man
Professional
- Messages
- 3,081
- Reaction score
- 620
- Points
- 113
Kernel protection turned out to be powerless against the new PoC exploit.
A critical vulnerability in the Common Log File System (CLFS) driver has been discovered in the Windows 11 operating system, which allows local users to escalate their privileges. CLFS is responsible for efficiently maintaining system and application logs for event tracking and error recovery.
The vulnerability was identified in the CClfsBaseFilePersisted::WriteMetadataBlock function and is related to the untracked return value of ClfsDecodeBlock. This failure can cause data corruption within the CLFS structure and open the way for privilege escalation.
The attack also allows attackers to find out the address of the kernel in the memory pool, which helps bypass future protections planned for Windows 11 version 24H2. However, at the TyphoonPWN 2024 event, where proof-of-concept (PoC) was presented, this aspect was not used, since testing was carried out on version 23H2.
The vulnerability exploits manipulation of the CLFS log structure. During the attack, a log file is created, its data is modified, and key structures of the system are disrupted, which makes it possible to seize control at the kernel level. The lack of Supervisor Mode Access Prevention (SMAP) protection in Windows makes it easier for attackers to work with kernel memory by allowing process tokens to be changed to escalate privileges.
An example of exploitation of the vulnerability demonstrated at TyphoonPWN 2024 showed the launch of a command line with SYSTEM privileges, which confirms a high threat level.
The researcher who discovered the problem as part of the competition took first place. Although Microsoft reported that this vulnerability is a duplicate and has already been fixed, tests on the latest version of Windows 11 have shown that the problem remains unresolved. The CVE identifier or patch information has not yet been published.
Cybersecurity experts recommend that system administrators keep an eye out for updates from Microsoft and promptly install patches as soon as they become available.
Source
A critical vulnerability in the Common Log File System (CLFS) driver has been discovered in the Windows 11 operating system, which allows local users to escalate their privileges. CLFS is responsible for efficiently maintaining system and application logs for event tracking and error recovery.
The vulnerability was identified in the CClfsBaseFilePersisted::WriteMetadataBlock function and is related to the untracked return value of ClfsDecodeBlock. This failure can cause data corruption within the CLFS structure and open the way for privilege escalation.
The attack also allows attackers to find out the address of the kernel in the memory pool, which helps bypass future protections planned for Windows 11 version 24H2. However, at the TyphoonPWN 2024 event, where proof-of-concept (PoC) was presented, this aspect was not used, since testing was carried out on version 23H2.
The vulnerability exploits manipulation of the CLFS log structure. During the attack, a log file is created, its data is modified, and key structures of the system are disrupted, which makes it possible to seize control at the kernel level. The lack of Supervisor Mode Access Prevention (SMAP) protection in Windows makes it easier for attackers to work with kernel memory by allowing process tokens to be changed to escalate privileges.
An example of exploitation of the vulnerability demonstrated at TyphoonPWN 2024 showed the launch of a command line with SYSTEM privileges, which confirms a high threat level.
The researcher who discovered the problem as part of the competition took first place. Although Microsoft reported that this vulnerability is a duplicate and has already been fixed, tests on the latest version of Windows 11 have shown that the problem remains unresolved. The CVE identifier or patch information has not yet been published.
Cybersecurity experts recommend that system administrators keep an eye out for updates from Microsoft and promptly install patches as soon as they become available.
Source
