CLFS OOB write/increment EoP (CVE-2023-28252)¶
An out-of-bounds write in the CLFS base-log-file metadata-block extension path, exploited as a 0day by Nokoyawa ransomware operators to gain SYSTEM and deploy ransomware.
Mechanism¶
The invariant that is broken
When CLFS extends a metadata block (in
CClfsBaseFilePersisted::ExtendMetadataBlock, reached during
AddLogContainer), it relies on LogBlockHeader fields — notably
ValidSectorCount and Record[0] across the CONTROL and CONTROL_SHADOW
blocks — that the attacker has tampered with inside the .BLF. Because these
values are not re-validated against the real block layout, crafted log
elements are treated as legitimate and drive out-of-bounds access into the
m_rgBlocks array. The resulting out-of-bounds write/increment corrupts
adjacent kernel state; by redirecting offsets so attacker-controlled
structures are followed as legitimate pointers, the bug is escalated to
kernel read/write and SYSTEM (CWE-787).
Walkthrough¶
Conceptual reproduction drawn from the public Securelist writeup. No exact offsets or turnkey exploit are given.
- Craft a malicious
.BLFwith manipulated CONTROL / CONTROL_SHADOW block headers (ValidSectorCount,Record[0]). - Invoke container-add operations so the metadata-block extension logic runs against the tampered structures.
- Drive the out-of-bounds (increment) write past the
m_rgBlocksbounds to corrupt adjacent kernel state. - Manipulate memory offsets so attacker-supplied structures are followed as legitimate pointers.
- Leak kernel addresses (e.g. via
NtQuerySystemInformation) to stabilize exploitation across builds, including Windows 11. - Achieve kernel read/write, perform token theft, then deploy Nokoyawa ransomware and dump SAM/registry data.
Detection¶
- Artifact files at hardcoded paths:
C:\Users\Public\.container*,C:\Users\Public\MyLog*.blf,C:\Users\Public\p_*. - Kaspersky verdicts such as
PDM:Exploit.Win32.GenericandHEUR:Trojan-Ransom.Win32.Generic. - Suspicious SAM/registry hive access (
HKLM\SAMdumping) by recently elevated processes. - Presence of associated tooling (Cobalt Strike Beacon, PipeMagic backdoor).
- BLF handling from world-writable
Publicdirectories by non-system users.
Mitigation¶
- Apply the April 2023 Patch Tuesday fix (CVE-2023-28252 is in CISA KEV — mandatory).
- Alert on / block the known IOC file paths under
C:\Users\Public. - Run EDR in block mode with behavioral detection for token-swap / EoP patterns.
- Apply network controls and detection for Cobalt Strike / PipeMagic C2.
- Enforce least privilege and monitor CLFS log-file creation by untrusted accounts.