Summary: A critical vulnerability in the Common Log File System (CLFS) driver of Windows 11 allows local users to escalate their privileges, posing significant security risks. Despite claims from Microsoft that the issue has been addressed, tests reveal that the vulnerability persists in the latest version of the operating system.
Threat Actor: Unknown | unknown
Victim: Microsoft | Microsoft
Key Point :
- A vulnerability in the CLFS driver allows privilege escalation by manipulating log structures.
- The exploit demonstrated at TyphoonPWN 2024 showed command execution with SYSTEM privileges.
- Microsoft claims the issue is a duplicate and has been patched, but testing indicates otherwise.
- No CVE identifier or patch information has been provided for the vulnerability.
A high-severity vulnerability has been discovered in the Common Log File System (CLFS) driver in Windows 11, enabling local users to escalate their privileges. CLFS is responsible for efficiently managing system and application logs for event tracking and error recovery.
The vulnerability resides in the function CClfsBaseFilePersisted::WriteMetadataBlock and is linked to an unchecked return value in ClfsDecodeBlock. This oversight can result in data corruption within the CLFS structure, creating a pathway for privilege escalation.
The exploit also allows attackers to reveal the kernel address within the memory pool, aiding in circumventing upcoming security measures planned for Windows 11 version 24H2. However, this aspect was not utilized in the proof-of-concept (PoC) presented at the TyphoonPWN 2024 event, as testing was conducted on Windows 11 version 23H2.
The vulnerability is exploited by manipulating the CLFS log structure. During the attack, a log file is created, its data modified, and core system structures disrupted, enabling control at the kernel level. The lack of Supervisor Mode Access Prevention (SMAP) in Windows simplifies kernel memory manipulation, allowing attackers to alter process tokens for privilege escalation.
The exploit demonstrated at TyphoonPWN 2024 showcased the launch of a command line with SYSTEM privileges, underscoring the severity of the threat.
The researcher who identified the issue at the competition secured first place. Although Microsoft reported this vulnerability as a duplicate and claimed it was patched, tests on the latest version of Windows 11 indicate that the issue remains unresolved. A CVE identifier or patch information has yet to be published.
βThe vendor has told us that the vulnerability is a duplicate and has been already fixed, though at the time of trying this on Windows 11 latest version the vulnerability still worked. We were never provided with a CVE number or Patch information,β reads the security advisory.
Related Posts:
Source: https://securityonline.info/clfs-flaw-in-windows-11-allows-for-privilege-escalation-poc-published