CVE: CVE-2020-0634
Tested Versions:
Product URL(s):
An elevation of privilege vulnerability exists when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context.
To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system.
Based on the POC we will get a random behavior and BSOD, it seems the thread object get freed and its memory filled with new object and new object used as a valid thread object, because a lot of code paths in kernel access to the thread objects we will get BSOD in random address.
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
REFERENCE_BY_POINTER (18)
Arguments:
Arg1: 0000000000000000, Object type of the object whose reference count is being lowered
Arg2: ffffe000c3d90800, Object whose reference count is being lowered
Arg3: 0000000000000010, Reserved
Arg4: 0000000000000001, Reserved
The reference count of an object is illegal for the current state of the object.
Each time a driver uses a pointer to an object the driver calls a kernel routine
to increment the reference count of the object. When the driver is done with the
pointer the driver calls another kernel routine to decrement the reference count.
Drivers must match calls to the increment and decrement routines. This bugcheck
can occur because an object's reference count goes to zero while there are still
open handles to the object, in which case the fourth parameter indicates the number
of opened handles. It may also occur when the object's reference count drops below zero
whether or not there are open handles to the object, and in that case the fourth parameter
contains the actual value of the pointer references count.
Debugging Details:
------------------
KEY_VALUES_STRING: 1
PROCESSES_ANALYSIS: 1
STACKHASH_ANALYSIS: 1
TIMELINE_ANALYSIS: 1
DUMP_CLASS: 1
DUMP_QUALIFIER: 0
BUILD_VERSION_STRING: 10586.0.amd64fre.th2_release.151029-1700
DUMP_TYPE: 0
BUGCHECK_P1: 0
BUGCHECK_P2: ffffe000c3d90800
BUGCHECK_P3: 10
BUGCHECK_P4: 1
CPU_COUNT: 2
CPU_MHZ: 8a0
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 9e
CPU_STEPPING: a
CPU_MICROCODE: 6,9e,a,0 (F,M,S,R) SIG: 96'00000000 (cache) 96'00000000 (init)
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: 0x18
PROCESS_NAME: ConsoleApplication1.exe
CURRENT_IRQL: 0
ANALYSIS_SESSION_HOST: MEYSAMFIROUAC30
ANALYSIS_SESSION_TIME: 01-09-2019 17:26:31.0642
ANALYSIS_VERSION: 10.0.18303.1000 amd64fre
LAST_CONTROL_TRANSFER: from fffff800d29c814a to fffff800d294d6d0
STACK_TEXT:
ffffd000`2ea2ef68 fffff800`d29c814a : 00000000`00000000 00000000`00000018 ffffd000`2ea2f0d0 fffff800`d28dcd20 : nt!DbgBreakPointWithStatus
ffffd000`2ea2ef70 fffff800`d29c7b1b : 00000000`00000003 ffffd000`2ea2f0d0 fffff800`d2954c00 00000000`00000018 : nt!KiBugCheckDebugBreak+0x12
ffffd000`2ea2efd0 fffff800`d2948084 : 00000000`00000000 fffff800`00000041 ffffcf80`e9f04f90 ffffd000`2ea304b0 : nt!KeBugCheck2+0x893
ffffd000`2ea2f6e0 fffff800`d295a4bf : 00000000`00000018 00000000`00000000 ffffe000`c3d90800 00000000`00000010 : nt!KeBugCheckEx+0x104
ffffd000`2ea2f720 fffff800`d2871e8c : 00000000`00000002 ffffd000`0000002b fffffa80`00000041 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x3bbf
ffffd000`2ea2f760 fffff800`d2871c42 : ffffd000`2ea2f8f0 ffffe000`c402b080 00000000`00000000 fffff800`d2850600 : nt!ExpApplyPriorityBoost+0x19c
ffffd000`2ea2f820 fffff800`d285292d : ffffcf80`e9f04f90 ffffd000`2ea2f8f0 ffffcf80`00000003 ffffe000`00010244 : nt!ExpWaitForResource+0xc2
ffffd000`2ea2f8b0 fffff800`d2ece1d9 : ffffe000`c2c4f202 ffffe000`c2c4f250 ffffcf80`e9f04f90 00000000`00000001 : nt!ExAcquireResourceSharedLite+0x32d
ffffd000`2ea2f940 fffff800`a84bee77 : ffffe000`c2c4f250 00000000`00000001 fffff800`d2bfa328 fffff800`d2ece161 : nt!VerifierExAcquireResourceSharedLite+0x35
ffffd000`2ea2f980 fffff800`a8496a91 : ffffcf80`e978ee40 ffffe000`c3a96b30 00000000`0012019f ffffcf80`00000000 : CLFS!CClfsBaseFilePersisted::CheckSecureAccess+0x57
ffffd000`2ea2fa40 fffff800`a84bbeba : ffffe000`c2c4f000 00000000`00000000 ffffe000`c3a96b30 00000000`0012019f : CLFS!CClfsLogFcbPhysical::Initialize+0x169
ffffd000`2ea2fb70 fffff800`a84bc6ec : ffffcf80`e6e6eee0 ffffe000`c3a90000 00000000`00000003 ffffe000`c3530100 : CLFS!CClfsRequest::Create+0x272
ffffd000`2ea2fcb0 fffff800`a84bae83 : ffffcf80`e6e6eee0 ffffe000`c40b0500 00000000`6d4e6f49 fffff800`d2a3722a : CLFS!CClfsRequest::Dispatch+0x98
ffffd000`2ea2fd20 fffff800`a84bade1 : ffffe000`c40b0520 ffffe000`c40b0520 ffffe000`c2554290 00000000`00000801 : CLFS!ClfsDispatchIoRequest+0x83
ffffd000`2ea2fd70 fffff800`d2eb9cbc : ffffe000`c40b0520 00000000`00000000 00000000`00000000 00000000`00000000 : CLFS!CClfsDriver::LogIoDispatch+0x21
ffffd000`2ea2fda0 fffff800`d2855cf2 : 00000000`00000084 ffffd000`2ea300f0 00000000`00000000 00000000`0012019f : nt!IovCallDriver+0x50
ffffd000`2ea2fde0 fffff800`d2bfa328 : 00000000`00000084 ffffd000`2ea300f0 00000000`00000000 00000000`00000189 : nt!IofCallDriver+0x72
ffffd000`2ea2fe20 fffff800`d2bf0c96 : ffffc001`54e162d8 ffffc001`54e162d8 ffffd000`2ea300f0 ffffe000`c2554260 : nt!IopParseDevice+0x7c8
ffffd000`2ea2fff0 fffff800`d2bef69c : ffffe000`c3a96b00 ffffd000`2ea30200 00000000`00000242 ffffe000`c0d0ab00 : nt!ObpLookupObjectName+0x776
ffffd000`2ea30190 fffff800`d2c188c8 : 00000000`00000001 ffffe000`c3a90010 00000000`00000000 00000000`00000000 : nt!ObOpenObjectByNameEx+0x1ec
ffffd000`2ea302b0 fffff800`d2c17e58 : ffffd000`2ea30538 ffffe000`c0e96398 ffffd000`2ea305e8 ffffd000`2ea305a0 : nt!IopCreateFile+0x3d8
ffffd000`2ea30360 fffff800`d2c9561d : ffffd000`2ea305a0 00000000`c0000000 00000000`0000004e 00000000`00000028 : nt!IoCreateFileEx+0x120
ffffd000`2ea303f0 fffff800`a84ba647 : 00000000`00000000 ffffe000`c3c580d0 00000000`00000000 00000000`c0000000 : nt!IoCreateFileSpecifyDeviceObjectHint+0xf1
ffffd000`2ea304b0 fffff800`a850d13e : ffffe000`c3c580e8 ffffe000`c3c580d0 00000000`00000000 ffffe000`c3c58060 : CLFS!ClfsCreateLogFile+0x4a7
ffffd000`2ea30690 fffff800`a850cfda : ffffe000`c3c58300 ffffe000`c3c58060 00000000`00000001 ffffd000`2ea30968 : tm!TmpCreateLogFile+0x146
ffffd000`2ea30810 fffff800`a850b52e : ffffe000`c3c58060 ffffe000`c3c580d0 00000000`00000000 00000000`00000000 : tm!TmpCreateOrOpenLogTransactionManager+0x1e
ffffd000`2ea30850 fffff800`a850b17d : 000000e9`abeff9f0 00000000`00000000 ffffd000`2ea30a80 ffffcf80`ea364f01 : tm!TmInitializeTransactionManagerExt+0x20e
ffffd000`2ea308f0 fffff800`d29527a3 : ffffe000`c402b080 000000e9`abeff998 ffffd000`2ea309a8 00000000`00000000 : tm!NtCreateTransactionManagerExt+0xed
ffffd000`2ea30990 00007ff9`ff116484 : 00007ff6`67c215cd 0000028a`28ddfcc0 000000e9`abeffa80 0000028a`28ddfd00 : nt!KiSystemServiceCopyEnd+0x13
000000e9`abeff978 00007ff6`67c215cd : 0000028a`28ddfcc0 000000e9`abeffa80 0000028a`28ddfd00 00007ff9`ff08ced0 : ntdll!NtCreateTransactionManager+0x14
000000e9`abeff980 0000028a`28ddfcc0 : 000000e9`abeffa80 0000028a`28ddfd00 00007ff9`ff08ced0 00000000`00000000 : ConsoleApplication1+0x15cd
000000e9`abeff988 000000e9`abeffa80 : 0000028a`28ddfd00 00007ff9`ff08ced0 00000000`00000000 00007ff6`00000000 : 0x0000028a`28ddfcc0
000000e9`abeff990 0000028a`28ddfd00 : 00007ff9`ff08ced0 00000000`00000000 00007ff6`00000000 00000003`eb0d63f8 : 0x000000e9`abeffa80
000000e9`abeff998 00007ff9`ff08ced0 : 00000000`00000000 00007ff6`00000000 00000003`eb0d63f8 0000028a`28ddfd00 : 0x0000028a`28ddfd00
000000e9`abeff9a0 00000000`00000000 : 00007ff6`00000000 00000003`eb0d63f8 0000028a`28ddfd00 0000028a`28ddfcc0 : ntdll!RtlInitUnicodeString
THREAD_SHA1_HASH_MOD_FUNC: 2dffe51fe74bb35bc86aba3b026ced0f29a42b5e
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 72a157fce1592e26521a00445ae7e3441159783a
THREAD_SHA1_HASH_MOD: 12556f74a075ddaaf45e1fcc372a8d23ad2b356c
FOLLOWUP_IP:
CLFS!CClfsBaseFilePersisted::CheckSecureAccess+57
fffff800`a84bee77 448ae0 mov r12b,al
FAULT_INSTR_CODE: 88e08a44
SYMBOL_STACK_INDEX: 9
SYMBOL_NAME: CLFS!CClfsBaseFilePersisted::CheckSecureAccess+57
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: CLFS
IMAGE_NAME: CLFS.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 5632d172
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 57
FAILURE_BUCKET_ID: 0x18_VRF_CLFS!CClfsBaseFilePersisted::CheckSecureAccess
BUCKET_ID: 0x18_VRF_CLFS!CClfsBaseFilePersisted::CheckSecureAccess
PRIMARY_PROBLEM_CLASS: 0x18_VRF_CLFS!CClfsBaseFilePersisted::CheckSecureAccess
TARGET_TIME: 2019-01-09T09:24:03.000Z
OSBUILD: 10586
OSSERVICEPACK: 0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2015-10-29 19:15:45
BUILDDATESTAMP_STR: 151029-1700
BUILDLAB_STR: th2_release
BUILDOSVER_STR: 10.0.10586.0.amd64fre.th2_release.151029-1700
ANALYSIS_SESSION_ELAPSED_TIME: 44c
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0x18_vrf_clfs!cclfsbasefilepersisted::checksecureaccess
FAILURE_ID_HASH: {6812db28-ebfa-a4a4-f477-643df23b0b7f}
Followup: MachineOwner
---------
The kernel transaction manager( TM.sys) driver uses BLF binary file in CLFS.sys driver as a log system. We are able to use a modified BLF file so CLFS.sys can’t parse it correctly, and it leads to BSOD.
Microsoft added a new mitigation to prevent opening BLF file from low IL.
In order to exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.