CVE-2023–28252: Analysis of In-the-Wild Exploit Sample of CLFS Privilege Escalation Vulnerability

Overview

Kaspersky has disclosed [1] that the 0day vulnerability CVE-2023–28252 is an out-of-bounds write (increment) vulnerability, which can be exploited to obtain system privileges in Windows when the target system attempts to extend a metadata block. The exploitation process starts by altering the base log file so that an offset value in a specific Common Log File System (CLFS) structure in memory is changed into an offset pointing towards a malicious structure controlled by attackers. The CLFS structure is part of CLFS general-purpose logging system consisting of physical log files, log streams, log records and more.

The privilege escalation vulnerability has been exploited in the wild by the Nokoyawa ransomware group to obtain system privileges on target hosts before deploying their ransomware.

Microsoft [2] patched the vulnerability on April Patch Tuesday and identifying it as CVE-2023–28252. The following screenshot shows the exploit achieving elevation of privilege before the patch was applied.

Exploit Sample Analysis

The sample itself is protected by Themida, so anti-debugging needs to be bypassed while debugging. After that, the sample analysis is…