Technical Insights into the CLFS Exploit
In a recent series of cyber incidents, the deployment of PipeMagic served as a precursor to the execution of a sophisticated exploit targeting the Common Log File System (CLFS) kernel driver. This exploit was initiated from a dllhost.exe process, showcasing a methodical approach to leveraging system vulnerabilities.
The exploit’s initial step involved the use of the NtQuerySystemInformation API, which is designed to retrieve various system information. This API was instrumental in leaking kernel addresses to user mode, a critical phase in the exploit’s execution. However, a significant change in Windows 11, version 24H2, introduced restrictions that limited access to specific System Information Classes within NtQuerySystemInformation. These classes are now accessible only to users possessing SeDebugPrivilege, a privilege typically reserved for administrative users. As a result, the exploit proved ineffective on this version of Windows, despite the underlying vulnerability still being present.
Following the initial information leak, the exploit employed a memory corruption technique alongside the RtlSetAllBits API. This combination allowed the exploit to overwrite its process token with the value 0xFFFFFFFF, effectively granting the process all available privileges. This elevated status enabled the exploit to inject processes into SYSTEM-level operations, significantly amplifying its potential impact.
As part of the exploitation process, a CLFS BLF file was created at the following path: C:ProgramDataSkyPDFPDUDrv.blf. This file serves as a marker of the exploit’s activity, further illustrating the intricate methods employed by attackers to navigate and manipulate system vulnerabilities.
