CLFS.sys driver before 10.0.22621.4601 in Windows 11 23H2 exposes functionality that allows low-privileged users to read and write arbitrary memory via specially crafted requests and elevate system privileges. The steps performed by the exploit are: Allocate memory at address 0x0000000002100000 (stored in the variable pcclfscontainer). Call CreateLogFile() and AddLogContainer() to create the .BLF and the container files under selected path. Fetch the malicious .BLF from the data replaced in the executable and overwrite the original .BLF with the crafted .BLF. Create a fake CClfsContainer object with a fake vtable that points to the address of nt!PoFxProcessorNotification. Write additional data in the allocated memory region such as the address of nt!DbgkpTriageDumpRestoreState and the address of _KTHREAD.PreviousMode of the current thread. Call again CreateLogFile(). When the PoC invokes CreateLogFile() on the malicious BLF the driver does the following at kernel level: Dereference the malicious CClfsContainer object at address 0x0000000002100000. Call nt!PoFxProcessorNotification. nt!PoFxProcessorNotification redirects the execution flow to nt!DbgkpTriageDumpRestoreState. nt!DbgkpTriageDumpRestoreState is used to obtain an arbitrary write of 8 bytes (already discussed here). In this case it is exploited to overwrite the _KTHREAD.PreviousMode to 0 of the current thread, granting us arbitrary read/write primitives. Issue a series of calls to NtReadVirtualMemory()/NtWriteVirtualMemory() to replace the _EPROCESS.Token of the parent process with that of the system process (PID 4). Restore _KTHREAD.PreviousMode to 1 with a final NtWriteVirtualMemory()
CVE Link
Exploit Platform
Exploit Type
Product Name