Windows Common Log File System Driver EoP Flaw Gets PoC Exploit

Proof-of-concept (PoC) exploit code has been published for a Windows vulnerability tracked as CVE-2023-36424. This high-severity Windows vulnerability, scoring 7.8, opens a gateway for attackers to elevate privileges from Medium to High Integrity Level. The crux of this security flaw lies in the Common Log File System Driver component, where a flaw allows local authenticated attackers to ascend the privilege ladder by executing a specially crafted program.

This vulnerability, is found in the processing of IRP_MJ_CREATE requests in the driver clfs.sys, primarily involves the parsing of blf files in the kernel. A meticulous examination reveals a flaw during the truncate metadata block processing in CClfsLogFcbPhysical::RecoverTruncateLog. The driver’s checks are inadequate, leading to an out-of-bounds (OOB) read, which is the bedrock of this exploit.

To understand the depth of this issue, it’s crucial to consider the conditions under which this exploit thrives. The payload size of the truncate must be greater than or equal to a defined minimum, yet the driver erroneously dereferences fields within the truncate, triggering the vulnerability. This exploit was brought to light by an independent security researcher and disclosed through SSD Secure Disclosure.

For tech enthusiasts and security professionals, the researcher created a PoC exploit and detailed the technical for the CVE-2023-36424 flaw.

Fortunately, Microsoft has addressed this critical issue in their November 2023 Patch Tuesday update. The patch is a must-have, as it not only remedies CVE-2023-36424 but also fixes five zero-day vulnerabilities and 53 other security issues across various apps and system components.