CVE: CVE-2020-0634

Tested Versions:

  • Windows RS2( 2019.01.08) build 7763
  • ntoskrnl.exe file version 10.0.17763.195 . MD5:4a8bc8a4b90486a5567fb6c6bf93ab6b

Product URL(s):

Description of the vulnerability

An elevation of privilege vulnerability exists when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context.

To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system.

Based on the POC we will get a random behavior and BSOD, it seems the thread object get freed and its memory filled with new object and new object used as a valid thread object, because a lot of code paths in kernel access to the thread objects we will get BSOD in random address.

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

REFERENCE_BY_POINTER (18)
Arguments:
Arg1: 0000000000000000, Object type of the object whose reference count is being lowered
Arg2: ffffe000c3d90800, Object whose reference count is being lowered
Arg3: 0000000000000010, Reserved
Arg4: 0000000000000001, Reserved
	The reference count of an object is illegal for the current state of the object.
	Each time a driver uses a pointer to an object the driver calls a kernel routine
	to increment the reference count of the object. When the driver is done with the
	pointer the driver calls another kernel routine to decrement the reference count.
	Drivers must match calls to the increment and decrement routines. This bugcheck
	can occur because an object's reference count goes to zero while there are still
	open handles to the object, in which case the fourth parameter indicates the number
	of opened handles. It may also occur when the object's reference count drops below zero
	whether or not there are open handles to the object, and in that case the fourth parameter
	contains the actual value of the pointer references count.

Debugging Details:
------------------


KEY_VALUES_STRING: 1


PROCESSES_ANALYSIS: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1


DUMP_CLASS: 1

DUMP_QUALIFIER: 0

BUILD_VERSION_STRING:  10586.0.amd64fre.th2_release.151029-1700

DUMP_TYPE:  0

BUGCHECK_P1: 0

BUGCHECK_P2: ffffe000c3d90800

BUGCHECK_P3: 10

BUGCHECK_P4: 1

CPU_COUNT: 2

CPU_MHZ: 8a0

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 9e

CPU_STEPPING: a

CPU_MICROCODE: 6,9e,a,0 (F,M,S,R)  SIG: 96'00000000 (cache) 96'00000000 (init)

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

BUGCHECK_STR:  0x18

PROCESS_NAME:  ConsoleApplication1.exe

CURRENT_IRQL:  0

ANALYSIS_SESSION_HOST:  MEYSAMFIROUAC30

ANALYSIS_SESSION_TIME:  01-09-2019 17:26:31.0642

ANALYSIS_VERSION: 10.0.18303.1000 amd64fre

LAST_CONTROL_TRANSFER:  from fffff800d29c814a to fffff800d294d6d0

STACK_TEXT:  
ffffd000`2ea2ef68 fffff800`d29c814a : 00000000`00000000 00000000`00000018 ffffd000`2ea2f0d0 fffff800`d28dcd20 : nt!DbgBreakPointWithStatus
ffffd000`2ea2ef70 fffff800`d29c7b1b : 00000000`00000003 ffffd000`2ea2f0d0 fffff800`d2954c00 00000000`00000018 : nt!KiBugCheckDebugBreak+0x12
ffffd000`2ea2efd0 fffff800`d2948084 : 00000000`00000000 fffff800`00000041 ffffcf80`e9f04f90 ffffd000`2ea304b0 : nt!KeBugCheck2+0x893
ffffd000`2ea2f6e0 fffff800`d295a4bf : 00000000`00000018 00000000`00000000 ffffe000`c3d90800 00000000`00000010 : nt!KeBugCheckEx+0x104
ffffd000`2ea2f720 fffff800`d2871e8c : 00000000`00000002 ffffd000`0000002b fffffa80`00000041 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x3bbf
ffffd000`2ea2f760 fffff800`d2871c42 : ffffd000`2ea2f8f0 ffffe000`c402b080 00000000`00000000 fffff800`d2850600 : nt!ExpApplyPriorityBoost+0x19c
ffffd000`2ea2f820 fffff800`d285292d : ffffcf80`e9f04f90 ffffd000`2ea2f8f0 ffffcf80`00000003 ffffe000`00010244 : nt!ExpWaitForResource+0xc2
ffffd000`2ea2f8b0 fffff800`d2ece1d9 : ffffe000`c2c4f202 ffffe000`c2c4f250 ffffcf80`e9f04f90 00000000`00000001 : nt!ExAcquireResourceSharedLite+0x32d
ffffd000`2ea2f940 fffff800`a84bee77 : ffffe000`c2c4f250 00000000`00000001 fffff800`d2bfa328 fffff800`d2ece161 : nt!VerifierExAcquireResourceSharedLite+0x35
ffffd000`2ea2f980 fffff800`a8496a91 : ffffcf80`e978ee40 ffffe000`c3a96b30 00000000`0012019f ffffcf80`00000000 : CLFS!CClfsBaseFilePersisted::CheckSecureAccess+0x57
ffffd000`2ea2fa40 fffff800`a84bbeba : ffffe000`c2c4f000 00000000`00000000 ffffe000`c3a96b30 00000000`0012019f : CLFS!CClfsLogFcbPhysical::Initialize+0x169
ffffd000`2ea2fb70 fffff800`a84bc6ec : ffffcf80`e6e6eee0 ffffe000`c3a90000 00000000`00000003 ffffe000`c3530100 : CLFS!CClfsRequest::Create+0x272
ffffd000`2ea2fcb0 fffff800`a84bae83 : ffffcf80`e6e6eee0 ffffe000`c40b0500 00000000`6d4e6f49 fffff800`d2a3722a : CLFS!CClfsRequest::Dispatch+0x98
ffffd000`2ea2fd20 fffff800`a84bade1 : ffffe000`c40b0520 ffffe000`c40b0520 ffffe000`c2554290 00000000`00000801 : CLFS!ClfsDispatchIoRequest+0x83
ffffd000`2ea2fd70 fffff800`d2eb9cbc : ffffe000`c40b0520 00000000`00000000 00000000`00000000 00000000`00000000 : CLFS!CClfsDriver::LogIoDispatch+0x21
ffffd000`2ea2fda0 fffff800`d2855cf2 : 00000000`00000084 ffffd000`2ea300f0 00000000`00000000 00000000`0012019f : nt!IovCallDriver+0x50
ffffd000`2ea2fde0 fffff800`d2bfa328 : 00000000`00000084 ffffd000`2ea300f0 00000000`00000000 00000000`00000189 : nt!IofCallDriver+0x72
ffffd000`2ea2fe20 fffff800`d2bf0c96 : ffffc001`54e162d8 ffffc001`54e162d8 ffffd000`2ea300f0 ffffe000`c2554260 : nt!IopParseDevice+0x7c8
ffffd000`2ea2fff0 fffff800`d2bef69c : ffffe000`c3a96b00 ffffd000`2ea30200 00000000`00000242 ffffe000`c0d0ab00 : nt!ObpLookupObjectName+0x776
ffffd000`2ea30190 fffff800`d2c188c8 : 00000000`00000001 ffffe000`c3a90010 00000000`00000000 00000000`00000000 : nt!ObOpenObjectByNameEx+0x1ec
ffffd000`2ea302b0 fffff800`d2c17e58 : ffffd000`2ea30538 ffffe000`c0e96398 ffffd000`2ea305e8 ffffd000`2ea305a0 : nt!IopCreateFile+0x3d8
ffffd000`2ea30360 fffff800`d2c9561d : ffffd000`2ea305a0 00000000`c0000000 00000000`0000004e 00000000`00000028 : nt!IoCreateFileEx+0x120
ffffd000`2ea303f0 fffff800`a84ba647 : 00000000`00000000 ffffe000`c3c580d0 00000000`00000000 00000000`c0000000 : nt!IoCreateFileSpecifyDeviceObjectHint+0xf1
ffffd000`2ea304b0 fffff800`a850d13e : ffffe000`c3c580e8 ffffe000`c3c580d0 00000000`00000000 ffffe000`c3c58060 : CLFS!ClfsCreateLogFile+0x4a7
ffffd000`2ea30690 fffff800`a850cfda : ffffe000`c3c58300 ffffe000`c3c58060 00000000`00000001 ffffd000`2ea30968 : tm!TmpCreateLogFile+0x146
ffffd000`2ea30810 fffff800`a850b52e : ffffe000`c3c58060 ffffe000`c3c580d0 00000000`00000000 00000000`00000000 : tm!TmpCreateOrOpenLogTransactionManager+0x1e
ffffd000`2ea30850 fffff800`a850b17d : 000000e9`abeff9f0 00000000`00000000 ffffd000`2ea30a80 ffffcf80`ea364f01 : tm!TmInitializeTransactionManagerExt+0x20e
ffffd000`2ea308f0 fffff800`d29527a3 : ffffe000`c402b080 000000e9`abeff998 ffffd000`2ea309a8 00000000`00000000 : tm!NtCreateTransactionManagerExt+0xed
ffffd000`2ea30990 00007ff9`ff116484 : 00007ff6`67c215cd 0000028a`28ddfcc0 000000e9`abeffa80 0000028a`28ddfd00 : nt!KiSystemServiceCopyEnd+0x13
000000e9`abeff978 00007ff6`67c215cd : 0000028a`28ddfcc0 000000e9`abeffa80 0000028a`28ddfd00 00007ff9`ff08ced0 : ntdll!NtCreateTransactionManager+0x14
000000e9`abeff980 0000028a`28ddfcc0 : 000000e9`abeffa80 0000028a`28ddfd00 00007ff9`ff08ced0 00000000`00000000 : ConsoleApplication1+0x15cd
000000e9`abeff988 000000e9`abeffa80 : 0000028a`28ddfd00 00007ff9`ff08ced0 00000000`00000000 00007ff6`00000000 : 0x0000028a`28ddfcc0
000000e9`abeff990 0000028a`28ddfd00 : 00007ff9`ff08ced0 00000000`00000000 00007ff6`00000000 00000003`eb0d63f8 : 0x000000e9`abeffa80
000000e9`abeff998 00007ff9`ff08ced0 : 00000000`00000000 00007ff6`00000000 00000003`eb0d63f8 0000028a`28ddfd00 : 0x0000028a`28ddfd00
000000e9`abeff9a0 00000000`00000000 : 00007ff6`00000000 00000003`eb0d63f8 0000028a`28ddfd00 0000028a`28ddfcc0 : ntdll!RtlInitUnicodeString


THREAD_SHA1_HASH_MOD_FUNC:  2dffe51fe74bb35bc86aba3b026ced0f29a42b5e

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  72a157fce1592e26521a00445ae7e3441159783a

THREAD_SHA1_HASH_MOD:  12556f74a075ddaaf45e1fcc372a8d23ad2b356c

FOLLOWUP_IP: 
CLFS!CClfsBaseFilePersisted::CheckSecureAccess+57
fffff800`a84bee77 448ae0          mov     r12b,al

FAULT_INSTR_CODE:  88e08a44

SYMBOL_STACK_INDEX:  9

SYMBOL_NAME:  CLFS!CClfsBaseFilePersisted::CheckSecureAccess+57

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: CLFS

IMAGE_NAME:  CLFS.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  5632d172

STACK_COMMAND:  .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET:  57

FAILURE_BUCKET_ID:  0x18_VRF_CLFS!CClfsBaseFilePersisted::CheckSecureAccess

BUCKET_ID:  0x18_VRF_CLFS!CClfsBaseFilePersisted::CheckSecureAccess

PRIMARY_PROBLEM_CLASS:  0x18_VRF_CLFS!CClfsBaseFilePersisted::CheckSecureAccess

TARGET_TIME:  2019-01-09T09:24:03.000Z

OSBUILD:  10586

OSSERVICEPACK:  0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  272

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:  

USER_LCID:  0

OSBUILD_TIMESTAMP:  2015-10-29 19:15:45

BUILDDATESTAMP_STR:  151029-1700

BUILDLAB_STR:  th2_release

BUILDOSVER_STR:  10.0.10586.0.amd64fre.th2_release.151029-1700

ANALYSIS_SESSION_ELAPSED_TIME:  44c

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0x18_vrf_clfs!cclfsbasefilepersisted::checksecureaccess

FAILURE_ID_HASH:  {6812db28-ebfa-a4a4-f477-643df23b0b7f}

Followup:     MachineOwner
---------

The kernel transaction manager( TM.sys) driver uses BLF binary file in CLFS.sys driver as a log system. We are able to use a modified BLF file so CLFS.sys can’t parse it correctly, and it leads to BSOD.

Microsoft added a new mitigation to prevent opening BLF file from low IL.

In order to exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

Timeline

  • 2019-10-08 Vulnerability reported to vendor
  • 2020-01-15 Coordinated public release of advisory