New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add in Exploit for CVE-2021-36955 - Microsoft Windows Common Log File System Driver Elevation of Privilege Vulnerability Exploit #17961
Comments
I've read through the PoC you've provided and don't have a full understanding of how this exploit works, granted my C skills aren't that sharp (pun very much intended). Couldn't find any blog post or articles explain the flaw in the software either. I am new to exploit development but not to Ruby, would developing this module merely be translating his C code over to Ruby? In the mean time I will be reading up on the Windows CLSD ! |
Hi @gardnerapp most likely this would involve wrapping the original C code into a reflective DLL using the steps listed at https://github.com/rapid7/metasploit-framework/tree/c44fb61c9a8a9be54b99a36f2c09f162fc64d261/external/source/rdll_template. This would be a step done after verifying that the PoC works though. Unfortunately I'm not sure which system this exploit was targeting, which is a bit concerning 😅. You might be able to determine it by looking at undefined structure definitions using tools such as https://www.geoffchappell.com/ or https://www.vergiliusproject.com/ to see if the structures specifically match some version of the Windows Kernel. Kernel exploits aren't generally the easiest place to start as a new exploit developer however if your interested I can try assist on this one. There are some general concepts I see in the exploit that are familiar to me having worked on kernel exploits before so I'd be happy to answer some general questions. Anything more specific may require me taking some time to dive into the code a bit more though but feel free to ask about them. |
Within the POC you provided there is an enum type defined for the
Some of the fields within this struct vary within each version of the kernel and I am in the process of trying to figure out which fields are and are not present in each version of the Kernel. This will hopefully shed some light as to which version of the Kernel this specific exploit is targeting. Obviously this exploit is meant to target Windows systems with the A few questions we need to answer:
I appreciate your help sir, unfortunately I am running on an OSX system with an ARM chip. Which means it is damn near impossible to properly run a VM and test the POC. What is the best way to test the POC? Should I just spin up remote systems on the cloud with the different Kernel versions? Also I do not work with Visual Studio on my OSX, is there another way I can configure the reflective DLL without VSC ? |
Unfortunately OSX with ARM is going to be hard. Particularly for kernel research its best to have a host system that is the same as the target that you are trying to debug. You might be able to get away with doing a serial port or on newer Windows a network kernel debugging between two VMs, but if your unable to run VMs on Apple ARM then I'd consider getting another machine for research. I think there is some better virtualization available but even at our company we try to avoid Apple ARM due to the virtualization issues causing too much hassle. There is no good way to do the reflective DLL without VS unfortunately, as it was designed to be built using Visual Studio. |
this report details the systems effected by the CVE-202-36955. |
Summary
A bug exists in the Common Log File System Driver aka clfs.sys which allows for elevation of privilege to the
SYSTEM
user.Basic example
PoC at https://github.com/JiaJinRong12138/CVE-2021-36955-EXP
Motivation
Core Impact has added a PoC to their tools and there is a public PoC we can port over into Metasploit. Additionally this vulnerability is known to have been exploited in the wild.
The text was updated successfully, but these errors were encountered: