An urgent weakness has been unearthed in the Common Log File System (CLFS) driver of Windows 11. This defect grants local users the ability to elevate privileges by exploiting a specific function within the system.

The concern lies within the CClfsBaseFilePersisted::WriteMetadataBlock function, where the validation of ClfsDecodeBlock return value is incomplete. This lapse permits intruders to tamper with internal CLFS structures, potentially resulting in privilege escalation.

Moreover, this vulnerability can disclose a kernel pool address, circumventing certain protections intended for Windows 11 24H2. Nevertheless, the proof-of-concept (PoC) for TyphoonPWN 2024 does not utilize this approach as it focuses on Windows 11 23H2.

A freelance security expert uncovered the vulnerability and clinched the top spot in TyphoonPWN 2024. Tests conducted on the latest iteration of Windows 11 reveal the persistence of the vulnerability. No CVE identifier or patch particulars have been furnished.

Exploitation Sequence

The CLFS mechanism handles log files and structures discreetly without exposing confidential data like kernel addresses. The loophole leverages encoding and decoding processes that manage metadata blocks. By manipulating these processes, malefactors can attain privilege escalation by manipulating critical data within the CLFS structure.

Perpetrators can trigger this loophole by overlaying container and client structures within the CLFS system. This encompasses fashioning log files and directly altering their structure to tamper with checksums and encoding tags.

The exploitation encompasses several phases:

  • Establishing a log file and appending containers.
  • Modifying file structures to govern sector tags.
  • Crafting a fabricated CClfsContainer structure in user space.
  • Disclosing system details such as kernel addresses and process threads.
  • Adjusting system configurations to evade security checks and escalate privileges.

Upon a successful exploitation, malefactors can execute privileged functions on the system, like initiating processes with elevated authorizations.

This loophole accentuates substantial security apprehensions within Windows 11’s CLFS driver. Users are advised to remain vigilant and apply any accessible updates from Microsoft to diminish potential hazards.

Upon notification, Microsoft affirmed that the vulnerability is a replica and has already been dealt with. Nonetheless, researchers affirm that the exploit is still operable on the most recent version of Windows 11. No CVE identifier or patch details have been dispensed by the corporation.

The article Windows 11 CLFS Driver Vulnerability Allow Attackers To Escalate Privileges: PoC Exploit Released initially appeared on Cyber Security News.