Microsoft Windows 安全漏洞
描述:Microsoft Windows是美国微软(Microsoft)公司的一套个人设备使用的操作系统。 Microsoft多款产品存在安全漏洞,该漏洞源于CLFS.sys存在拒绝服务漏洞,允许经过身份验证的恶意低权限用户通过强制调用KeBugCheckEx函数导致蓝屏死机。以下产品受到影响:Microsoft Windows 10、Windows 11、Windows Server 2016、Windows Server 2019和Windows Server 2022。
# CVE-2024-6768: Improper validation of specified quantity in input produces an unrecoverable state in CLFS.sys causing a BSoD.
# Introduction:
[CVE-2024-6768](https://www.cve.org/CVERecord?id=CVE-2024-6768) is a
vulnerability in the Common Log File System (CLFS.sys) driver of
Windows, caused by improper validation of specified quantities in input
data. This flaw leads to an unrecoverable inconsistency, triggering the
KeBugCheckEx function and resulting in a Blue Screen of Death (BSoD).
The issue affects all versions of Windows 10 and Windows 11, Windows
Server 2016, Server 2019 and Server 2022 despite having all updates
applied. A Proof of Concept (PoC) shows that by crafting specific values
within a .BLF file, an unprivileged user can induce a system crash. The
potential problems include system instability and denial of service, as
malicious users can exploit this vulnerability to repeatedly crash
affected systems, disrupting operations and potentially causing data
In the last two research endeavors on Common Log File System (CLFS), I
was able to achieve RCE in both cases. (If you are interested here is
the one I did for CLFS
and CLFS
However, when I modified some values in the PoC I was working on, I
observed that it triggered a BSoD on the target system. Consequently, I
decided to report this issue. This document helps to understand the BSoD
and provides guidance on how to reproduce it.
# Vulnerability details:
This vulnerability is produced by an Improper Validation of Specified
Quantity in Input
which causes an unrecoverable inconsistency in the CLFS.sys driver,
forcing a call to the ***KeBugCheckEx** function,* which allows an
unprivileged user to produce a BSoD in Windows. In this document, I’m
using CLFS.sys version 10.0.19041.3324 as an example, but this issue is
affecting all versions up to the latest version of Windows 10 and
Windows 11 with all updates applied.
Base Score: CVSS 4.0: 6.8 Medium
Vector String
Attack Vector (AV): Local
Attack Complexity (AC): Low
Attack Requirements (AT): None
Privileges Required (PR): Low
User Interaction (UI): None
Confidentiality (VC): None
Integrity (VI): None
Availability (VA): High
Confidentiality (SC): None
Integrity (SI): None
Availability (SA): None
After the system detects the unrecoverable state, it calls the
**KeBugCheckEx** function which leads to a BSoD as described by
Microsoft in this article:

**CClfsLogFcbPhysical::FlushLog+6F2** is the address in CLFS.sys version
10.0.19041.3324 where the call to **KeBugCheckEx** is produced:
CClfsLogFcbPhysical::FlushLog+6D5 loc_FFFFF8062EED4F35: ;
CClfsLogFcbPhysical::FlushLog+6D5 mov r8d, eax
CClfsLogFcbPhysical::FlushLog+6D8 and \[rsp+0A8h+Timeout\], 0
CClfsLogFcbPhysical::FlushLog+6DE mov r9, rbx ; BugCheckParameter3
CClfsLogFcbPhysical::FlushLog+6E1 mov edx, 3Ah ; ':' ;
CClfsLogFcbPhysical::FlushLog+6E6 mov ecx, 0C1F5h ; BugCheckCode
CClfsLogFcbPhysical::FlushLog+6EB mov r10, cs:\_\_imp_KeBugCheckEx
CClfsLogFcbPhysical::FlushLog+6F2 call **near ptr nt_KeBugCheckEx**
# Building the PoC:
To begin the analysis, it’s necessary to know the .BLF file format, that
is handled by the vulnerable Common Log File System driver called
CLFS.sys located in folder %windir%\system32. To learn more about this,
check the references section at the end of this article.
In our [proof of concept repo](https://github.com/fortra/CVE-2024-6768),
the **54.blf** file has a crafted value (**0xffffffff00ff01**) in offset

This crafted value is in offset **0x38** of the
**\_CLFS_CLIENT_CONTEXT** structure, it is copied in
**CClfsLogFcbPhysical::Initialize** to **0x538** offset of
**CClfsLogFcbPhysical** structure.

The below blue marked zone starts with **cidNode = 0xC1FDF006** is the
**CLFSHASHSYM** structure

After that starting with **cidNode == 0xC1FDF007** is located the
**\_CLFS_CLIENT_CONTEXT** structure
In offset **0x38** is the field **lsnOwnerPage** which will be filled
with the crafted value **0xffffffff00ff01:**
*CLFS_NODE_ID cidNode;*
*CLFS_CLIENT_ID cidClient;*
*USHORT fAttributes;*
*ULONG cbFlushThreshold;*
*ULONG cShadowSectors;*
*ULONGLONG cbUndoCommitment;*
*LARGE_INTEGER llCreateTime;*
*LARGE_INTEGER llAccessTime;*
*LARGE_INTEGER llWriteTime;*
*CLFS_LSN **lsnOwnerPage; ***// offset **0x38**
*CLFS_LSN lsnArchiveTail;*
*CLFS_LSN lsnBase;*
*CLFS_LSN lsnLast;*
*CLFS_LSN lsnRestart;*
*CLFS_LSN lsnPhysicalBase;*
*CLFS_LSN lsnUnused1;*
*CLFS_LSN lsnUnused2;*
*HANDLE hSecurityContext;*
*ULONGLONG ullAlignment;*
When the PoC is executed, it crafts the value of **lsnOwnerPage**, calls
**CreateLogFile** and the mentioned value is used in
**UpdateCachedOwnerPage** as seen in the call stack below:

This is the address where the PoC calls to the **CreateLogFile** and the
crafted value starts to be used:

Inside **AddLsnOffset** returns an **ulloffset** calculated from this
crafted value:

The returned ulloffset is 0xFFFFFFFF00000000

After that, this value is compared and exits the function

After that, it returns to the PoC in user mode, and when it exits it
calls **CClfsLogFcbPhysical::FlushLog** when the original crafted
**ullofset** is used

This is compared in a loop and, if is not equal in any cycle, as the
system is in unrecoverable state, it calls to **KeBugCheck** that
produces a BSoD to restart itself:

You can find the functional PoC with sources and crafted BLF at Fortra’s
- <https://github.com/fortra/CVE-2024-6768>
- <https://github.com/fortra/CVE-2024-6768/blob/main/clfs_eopNEW/x64/Release/clfs_eop.exe>
I hope you find it useful. Please contact
<vulnerability.disclosure@fortra.com> with any questions.
# References:
Common Log File System (CLFS) references:
- <https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part>
- <https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/introduction-to-the-common-log-file-system>
- <https://github.com/ionescu007/clfs-docs/blob/main/README.md>
- <https://www.coresecurity.com/core-labs/articles/understanding-cve-2022-37969-windows-clfs-lpe>
- <https://www.youtube.com/watch?v=N5bcibiDVaw>
- <https://github.com/fortra/CVE-2024-6768>
- <https://www.fortra.com/security/advisories/research/fr-2024-001>
- <https://www.cve.org/CVERecord?id=CVE-2024-6768>
[4.0K] /data/pocs/c6bd26d031ddfcbc386d9395cdd8d143f37e1ae5
├── [ 64K] 54.blf
├── [4.0K] clfs_eopNEW
│ ├── [4.0K] clfs_eop
│ │ ├── [ 33K] clfs_eop.cpp
│ │ ├── [2.4K] clfs_eop.h
│ │ ├── [7.6K] clfs_eop.vcxproj
│ │ ├── [1.3K] clfs_eop.vcxproj.filters
│ │ ├── [ 168] clfs_eop.vcxproj.user
│ │ ├── [ 962] crc32.h
│ │ ├── [170K] ntos.h
│ │ ├── [879K] ntoskrnl.lib
│ │ └── [4.0K] x64
│ │ └── [4.0K] Release
│ │ ├── [ 0] clfs_eop.Build.CppClean.log
│ │ ├── [ 322] clfs_eop.exe.recipe
│ │ ├── [ 251] clfs_eop.log
│ │ ├── [142K] clfs_eop.obj
│ │ ├── [4.7M] clfs_eop.sbr
│ │ ├── [4.0K] clfs_eop.tlog
│ │ │ ├── [ 426] bscmake.command.1.tlog
│ │ │ ├── [ 426] bscmake.read.1.tlog
│ │ │ ├── [ 346] bscmake.write.1.tlog
│ │ │ ├── [ 834] CL.command.1.tlog
│ │ │ ├── [ 186] clfs_eop.lastbuildstate
│ │ │ ├── [ 167] Cl.items.tlog
│ │ │ ├── [ 42K] CL.read.1.tlog
│ │ │ ├── [ 694] CL.write.1.tlog
│ │ │ ├── [1.5K] link.command.1.tlog
│ │ │ ├── [4.6K] link.read.1.tlog
│ │ │ └── [ 508] link.write.1.tlog
│ │ ├── [ 0] clfs_eop.vcxproj.FileListAbsolute.txt
│ │ └── [404K] vc143.pdb
│ ├── [1.4K] clfs_eop.sln
│ ├── [184K] IncludeFileDependencies1.dgml
│ ├── [184K] IncludeFileDependencies2.dgml
│ ├── [184K] IncludeFileDependencies3.dgml
│ ├── [ 16K] IncludeFileDependencies4_1_1.dgml
│ ├── [ 16K] IncludeFileDependencies4_1.dgml
│ ├── [184K] IncludeFileDependencies4.dgml
│ └── [4.0K] x64
│ └── [4.0K] Release
│ ├── [7.4M] clfs_eop.bsc
│ ├── [182K] clfs_eop.exe
│ └── [4.0M] clfs_eop.pdb
├── [4.0K] media
│ ├── [143K] image10.png
│ ├── [ 51K] image11.png
│ ├── [ 23K] image12.png
│ ├── [ 44K] image13.png
│ ├── [ 27K] image14.png
│ ├── [ 49K] image1.png
│ ├── [ 25K] image2.png
│ ├── [ 20K] image3.png
│ ├── [ 19K] image4.png
│ ├── [ 40K] image5.png
│ ├── [113K] image6.png
│ ├── [ 31K] image7.png
│ ├── [ 57K] image8.png
│ └── [ 81K] image9.png
└── [8.2K] README.md
8 directories, 52 files
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。