The Common Log File System Driver (clfs.sys) present in Microsoft Windows is vulnerable to a Use After Free, which can result in an arbitrary write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Create target directory Perform a pool spray using pipes Creates two threads to win the race condition and trigger the UAF Use the RtlSetAllBits function to enable all privileges in the current process Inject a new agent into an elevated process to run as SYSTEM Successful exploitation is probabilistic and depends critically on two factors: CLFS internal state: The log container lifecycle must be coerced into the precise sequence that releases a vulnerable structure while references remain accessible. Interruptions (other CLFS activity, antivirus hooks, or system load) can alter timing and invalidate the race window. Pool spray: The density, timing, and size-class alignment of sprayed pipe allocations must closely match the freed allocation slot. Memory fragmentation, other kernel consumers, or spray volume reduce the odds of landing a controlled object in the target slot.
The Application Identity Service module (appid.sys) present in Microsoft Windows is vulnerable to an untrusted pointer dereference, which can result in arbitrary code execution. This module allows a local unprivileged user running as "LOCAL SERVICE" to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Leak the address of the current thread Leak the address of the current process token Leak the address of the SYSTEM process token Leak the address of the ExpProfileDelete kernel function Trigger the vulnerability to overwrite PreviousMode Replace the current process token with the SYSTEM token Restore original PreviousMode value
A vulnerability in the update service of Microsoft Windows Disk Cleanup Tool could allow an authenticated local attacker, to execute a crafted dll with SYSTEM user privileges. The steps performed by the exploit are: First It creates 3 folders: C:\$Windows.~WS, C:\ESD\Windows, C:\ESD\Download, inserts dummy .txt files and pauses. Create a thread to run first stage of executable FolderOrFileDeleteToSystem to set up the Config.msi. Create a second thread to run the second executable FolderContentsDeleteToFolderDelete to redirect content cleanup from C:\ESD\Windows to C:/Config.msi. It creates a task named SilentCleanup to trigger content cleanup and delete Config.msi. After deletion it creates a third thread to run second stage of FolderOrFileDeleteToSystem to drop HID.dll. Run osk.exe, then in another thread run mmc.exe.
A critical vulnerability (CVE-2025-32463) was discovered in Sudo versions 1.9.14 through 1.9.17. The vulnerability allows local users to obtain root access by exploiting the --chroot option, where /etc/nsswitch.conf from a user-controlled directory is used. This exploit creates a temporary directory structure that mimics a normal root environment, uploads a malicious /etc/nsswitch.conf which in turn calls a shared object that escalates privileges, the exploit is triggered when executing sudo with the -R flag pointing to the user controlled directory.
The vulnerability in vkrnlintvsp.sys (VkiRootAdjustSecurityDescriptorForVmwp()) stems from insufficient validation of the Dacl AclSize field in a Security Descriptor. Since this value is user-controlled, an attacker can trigger an integer overflow in the ExAllocatePool2() size calculation, leading to a heap-based buffer overflow , allowing a local attacker to exploit them for privilege escalation. The steps performed by the exploit are: Sprays WNF objects to control heap layout. Calls NtCreateCrossVmEvent with a malicious Security Descriptor to overflow a heap buffer. Frees corrupted WNF objects and replaces them with IORING RegBuffers and PipeAttribute objects. Uses IORING RegBuffers to hijack pointers and gain arbitrary kernel R/W. Locates system EPROCESS and copies its token to the target process. Overwrites the current process token to gain SYSTEM privileges. Restores corrupted objects to avoid crashes.
The Cloud Files Mini Filter Driver (cldflt.sys) present in Microsoft Windows is vulnerable to a buffer overflow, which can result in out-of-bounds memory write to paged pool memory. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Register a sync root and set its reparse point data Spray memory using WNF and ALPC Trigger the vulnerability to get an arbitrary write Overwrite the token privileges of current process Inject a new agent into an elevated process to run as SYSTEM
The Windows Error Reporting (WER) service, which runs with SYSTEM privileges, interacts with registry keys to store and process crash reports. The vulnerability stems from weak access controls on these registry keys, allowing a local attacker to exploit them for privilege escalation. The steps performed by the exploit are: Initializes Native APIs by loading necessary Windows APIs for low-level operations Modifies the Registry to hijack WerFault.exe by setting a malicious Debugger key Locks Resources by creating lock files and manipulating registry keys to ensure uninterrupted execution Triggers the Vulnerability by calling ReportFault, forcing the Windows Error Reporting service to execute the malicious payload Escalates Privileges by executing arbitrary code with SYSTEM-level privileges through the hijacked WerFault.exe Cleans Up by removing traces like the Debugger key and temporary files to avoid detection.
The Common Log File System Driver (clfs.sys) present in Microsoft Windows is vulnerable to a memory corruption vulnerability. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges by creating a specially crafted BLF file. The steps performed by the exploit are: Create a crafted BLF file Trigger the vulnerability to get an arbitrary read/write primitive Get SYSTEM privileges by replacing the current process token
CLFS.sys driver before 10.0.22621.4601 in Windows 11 23H2 exposes functionality that allows low-privileged users to read and write arbitrary memory via specially crafted requests and elevate system privileges. The steps performed by the exploit are: Allocate memory at address 0x0000000002100000 (stored in the variable pcclfscontainer). Call CreateLogFile() and AddLogContainer() to create the .BLF and the container files under selected path. Fetch the malicious .BLF from the data replaced in the executable and overwrite the original .BLF with the crafted .BLF. Create a fake CClfsContainer object with a fake vtable that points to the address of nt!PoFxProcessorNotification. Write additional data in the allocated memory region such as the address of nt!DbgkpTriageDumpRestoreState and the address of _KTHREAD.PreviousMode of the current thread. Call again CreateLogFile(). When the PoC invokes CreateLogFile() on the malicious BLF the driver does the following at kernel level: Dereference the malicious CClfsContainer object at address 0x0000000002100000. Call nt!PoFxProcessorNotification. nt!PoFxProcessorNotification redirects the execution flow to nt!DbgkpTriageDumpRestoreState. nt!DbgkpTriageDumpRestoreState is used to obtain an arbitrary write of 8 bytes (already discussed here). In this case it is exploited to overwrite the _KTHREAD.PreviousMode to 0 of the current thread, granting us arbitrary read/write primitives. Issue a series of calls to NtReadVirtualMemory()/NtWriteVirtualMemory() to replace the _EPROCESS.Token of the parent process with that of the system process (PID 4). Restore _KTHREAD.PreviousMode to 1 with a final NtWriteVirtualMemory()
Subscribe to Privilege Escalation