A critical vulnerability has been discovered in the Common Log File System (CLFS) driver of Windows 11. This flaw enables local users to gain elevated privileges by exploiting a specific function within the system.
The issue resides in the CClfsBaseFilePersisted::WriteMetadataBlock function, where the return value of ClfsDecodeBlock is not properly checked. This oversight allows attackers to corrupt internal CLFS structures, potentially leading to privilege escalation.
Additionally, the vulnerability can be used to leak a kernel pool address, bypassing certain mitigations planned for Windows 11 24H2. However, the proof-of-concept (PoC) for TyphoonPWN 2024 does not utilize this method, as it targets Windows 11 23H2.
An independent security researcher identified the vulnerability and won first place in TyphoonPWN 2024. Tests on the latest version of Windows 11 indicate that the vulnerability persists. No CVE number or patch details have been provided.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Watch Here
Exploitation Process
The CLFS system manages log files and structures without exposing sensitive data like kernel addresses. The vulnerability exploits encoding and decoding processes that manage metadata blocks. By manipulating these processes, attackers can achieve privilege escalation by corrupting important data within the CLFS structure.
Attackers can trigger this vulnerability by overlapping container and client structures within the CLFS system. This involves creating log files and directly modifying their structure to manipulate checksums and encoding tags.
The exploit involves several steps:
- Creating a log file and adding containers.
- Manipulating file structures to control sector tags.
- Preparing a fake
CClfsContainerstructure in user space. - Leaking system information such as kernel addresses and process threads.
- Altering system settings to bypass security checks and escalate privileges.
Once successfully exploited, attackers can perform privileged actions on the system, such as spawning processes with elevated permissions.
This vulnerability highlights significant security concerns within Windows 11’s CLFS driver. Users are advised to remain vigilant and apply any available updates from Microsoft to mitigate potential risks.
When contacted, Microsoft stated that the vulnerability is a duplicate and has already been addressed. However, researchers report that the exploit still works on the latest version of Windows 11. No CVE number or patch information has been provided by the company.
Protecting your networks & Endpoints With UnderDefense MDR – Request Free Demo