Skip to content

CLFS OOB write/increment EoP (CVE-2023-28252)

An out-of-bounds write in the CLFS base-log-file metadata-block extension path, exploited as a 0day by Nokoyawa ransomware operators to gain SYSTEM and deploy ransomware.

Mechanism

The invariant that is broken

When CLFS extends a metadata block (in CClfsBaseFilePersisted::ExtendMetadataBlock, reached during AddLogContainer), it relies on LogBlockHeader fields — notably ValidSectorCount and Record[0] across the CONTROL and CONTROL_SHADOW blocks — that the attacker has tampered with inside the .BLF. Because these values are not re-validated against the real block layout, crafted log elements are treated as legitimate and drive out-of-bounds access into the m_rgBlocks array. The resulting out-of-bounds write/increment corrupts adjacent kernel state; by redirecting offsets so attacker-controlled structures are followed as legitimate pointers, the bug is escalated to kernel read/write and SYSTEM (CWE-787).

Walkthrough

Conceptual reproduction drawn from the public Securelist writeup. No exact offsets or turnkey exploit are given.

  1. Craft a malicious .BLF with manipulated CONTROL / CONTROL_SHADOW block headers (ValidSectorCount, Record[0]).
  2. Invoke container-add operations so the metadata-block extension logic runs against the tampered structures.
  3. Drive the out-of-bounds (increment) write past the m_rgBlocks bounds to corrupt adjacent kernel state.
  4. Manipulate memory offsets so attacker-supplied structures are followed as legitimate pointers.
  5. Leak kernel addresses (e.g. via NtQuerySystemInformation) to stabilize exploitation across builds, including Windows 11.
  6. Achieve kernel read/write, perform token theft, then deploy Nokoyawa ransomware and dump SAM/registry data.

Detection

  • Artifact files at hardcoded paths: C:\Users\Public\.container*, C:\Users\Public\MyLog*.blf, C:\Users\Public\p_*.
  • Kaspersky verdicts such as PDM:Exploit.Win32.Generic and HEUR:Trojan-Ransom.Win32.Generic.
  • Suspicious SAM/registry hive access (HKLM\SAM dumping) by recently elevated processes.
  • Presence of associated tooling (Cobalt Strike Beacon, PipeMagic backdoor).
  • BLF handling from world-writable Public directories by non-system users.

Mitigation

  • Apply the April 2023 Patch Tuesday fix (CVE-2023-28252 is in CISA KEV — mandatory).
  • Alert on / block the known IOC file paths under C:\Users\Public.
  • Run EDR in block mode with behavioral detection for token-swap / EoP patterns.
  • Apply network controls and detection for Cobalt Strike / PipeMagic C2.
  • Enforce least privilege and monitor CLFS log-file creation by untrusted accounts.

References