Ransomware attackers exploit Windows zero-day vulnerabilities to gain elevated privileges.
Understanding CLFS is crucial to knowing the roots of vulnerability.
Common Log File System has been a versatile log subsystem in Windows since 2003.
OS and applications use this subsystem, and it relies on clfs.
The logs include metadata in a Base Log File and data containers created with APIs.
While Microsoft doesn't document BLF's format, as it's decipherable with reverse engineering, which is aided by debug symbols for clfs.
Microsoft doesn't explicitly highlight, but documents mention CLFS optimization for performance, working in non-copy buffers flushed to disk.
Despite its complexity and old code base, CLFS faces vulnerabilities.
Analyzing the BLF file format reveals the following things at the start of each block:-.
Block header in BLF files contains sectors, checksum, and less crucial info.
The BLF files have six blocks, but it has three different types with names like:-.
Exploits leverage the standard BLF layout by avoiding needing a prebuilt file.
All starts with CLFS METADATA RECORD HEADER, which features a DumpCount field used by the ReadMetadataBlock function.
CLFS CONTROL RECORD's rgBlocks array holds info on the six BLF file blocks.
CLFS METADATA BLOCK structures detail block size, offset, and a placeholder for kernel pointer, read SecureList report.
The CLFS BASE RECORD HEADER structure has large arrays with offsets.
CLFS CLIENT CONTEXT structure contains important fields like:-.
CLFS CONTAINER CONTEXT's pContainer field stores a kernel pointer to the CClfsContainer class.
If attackers inject a malicious CLFS CONTAINER CONTEXT into a BLF file without proper validation, they can hijack control flow and elevate privileges.
CLFS prioritizes performance over a sensible file format, and manipulating disk offsets can cause structures to overlap.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 27 Dec 2023 14:55:07 +0000