Cyber Security News

Windows 11 CLFS Driver Vulnerability Let Attackers Escalate Privileges – PoC Exploit Released

A critical security vulnerability has been identified in the Common Log File System (CLFS) driver of Windows 11, allowing local users to gain elevated privileges.

The Common Log File System (CLFS) is a Windows service for efficient, reliable logging, used by apps and the system for tracking events and error recovery.

This flaw, located in the CClfsBaseFilePersisted::WriteMetadataBlock function, arises from the unchecked return value of ClfsDecodeBlock, which can lead to data corruption within the internal CLFS structure and facilitate privilege escalation.

Moreover, this vulnerability enables attackers to leak a kernel pool address, potentially bypassing mitigations set to be released in Windows 11 24H2.

However, the proof-of-concept (PoC) used during the TyphoonPWN 2024 event did not exploit this aspect, as the target machine was running Windows 11 23H2.

Technical Analysis

The vulnerability affects Windows 11 version 23H2. It involves manipulating the CLFS file structure to achieve privilege escalation.

The process includes creating a log file, modifying its structure directly, and exploiting unchecked conditions to overlap critical data structures within the system.

The exploit involves preparing a fake CClfsContainer structure in user space due to the absence of Supervisor Mode Access Prevention (SMAP) in Windows.

This allows attackers to manipulate kernel memory addresses and escalate privileges by altering process tokens. This vulnerability poses a significant security risk as it allows attackers to perform privileged actions on affected systems.

The PoC demonstrated during TyphoonPWN 2024 involved spawning a command prompt under the SYSTEM account, showcasing the potential for severe exploitation.

Security professionals and system administrators are advised to monitor for updates from Microsoft regarding this vulnerability and apply necessary patches once available.

The vulnerability was uncovered by an independent security researcher participating in TyphoonPWN 2024, who secured first place in the competition.

Despite being informed by the vendor that the issue was a duplicate and had been resolved, tests on the latest Windows 11 version indicated that the vulnerability persisted. No CVE number or patch information has been provided by the vendor.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Watch Here

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Google Announces Vanir, A Open-Source Security Patch Validation Tool

Google has officially launched Vanir, an open-source security patch validation tool designed to streamline and automate…

14 hours ago

New Transaction-Relay Jamming Vulnerability Let Attackers Exploits Bitcoin Nodes

A newly disclosed transaction-relay jamming vulnerability has raised concerns about the security of Bitcoin nodes,…

15 hours ago

Raspberry Pi 500 & Monitor, Complete Desktop Setup at $190

Raspberry Pi, a pioneer in affordable and programmable computing, has once again elevated its game…

16 hours ago

Qlik Sense for Windows Vulnerability Allows Remote Code Execution

Qlik has identified critical vulnerabilities in its Qlik Sense Enterprise for Windows software that could…

18 hours ago

QNAP High Severity Vulnerabilities Let Remote attackers to Compromise System

QNAP Systems, Inc. has identified multiple high-severity vulnerabilities in its operating systems, potentially allowing attackers…

19 hours ago

Healthcare Security Strategies for 2025

Imagine this: It's a typical Tuesday morning in a bustling hospital. Doctors make their rounds,…

20 hours ago