Exploiting the CVE-2023–28252 Windows Common Log File System Driver vulnerability that leads to Local Privilege Escalation
We have another vulnerability present on windows clfs.sys driver. This vulnerability can let an attacker to get LPE easily after post exploitation. This has been (He reversed the clfs.sys driver) researched by Mr. Ricardo Vartaja and also bring a POC to the community. But the vulnerability was reported to Microsoft are Mr. Boris Larin of Kaspersky, Genwei Jiang of Mandiant, and Quan Jin of DBAPPSecurity’s WeBin Lab.
Now lets see how we can exploit this. Microsoft already released a patch for this on the month of April 2023. If you found windows 10 or 11 systems that has not been patched yet until April 2023 second Tuesday, then you have a chance to exploit this. As a Pentester or Red Teamer you can do this with proper permission. Don’t leverage this illegally.
Again from the above link, you will get the POC code. You just need to convert the code into an executable, in our case clfs_eop.exe
I am not showing the way how to do that here. Its not the main motive of this writeup. If you face any hurdle then let me know. I will definitely help.
If this KB is installed as a hotfix/patch then this vulnerability will not be exploitable.
Lets begin the exploitation:
Don’t confuse. I am just logged in to this vulnerable machine with administrator account. This will still work if you log in as a normal user (non-admin) and execute it the same way.
A successful exploitation gives you the LPE with system account.
Vulnerable driver.
So patch your systems as soon as possible. As per Trend Micro this vulnerability has been exploited since February 2022. Several ransomware group use it as a zero-day.
I hope you like this. Please subscribe below.
LinkedIn:
https://www.linkedin.com/in/md-mahimbin-firoj-7b8a5a113/
YouTube:
