Rapid7 Vulnerability & Exploit Database

Windows Common Log File System Driver (clfs.sys) Elevation of Privilege Vulnerability

Back to Search

Windows Common Log File System Driver (clfs.sys) Elevation of Privilege Vulnerability



A privilege escalation vulnerability exists in the clfs.sys driver which comes installed by default on Windows 10 21H2, Windows 11 21H2 and Windows Server 20348 operating systems. The clfs.sys driver contains a function CreateLogFile that is used to create open and edit '*.blf' (base log format) files. Inside a .blf file there are multiple blocks of data which contain checksums to verify the integrity of the .blf file and to ensure the file looks and acts like a .blf file. However, these files can be edited with CreateFileA or with fopen and then modified with WriteFile or fwrite respectively in order to change the contents of the file and update their checksums accordingly. This exploit makes use to two different kinds of specially crafted .blf files that are edited using the technique mentioned above. There are multiple spray .blf files. The spray .blf files are specially crafted to initiate an out of bounds read which reads from a contiguous block of memory. The block of memory it reads from contains a read-write pipe that points to the address of the second type of .blf file - the trigger .blf file. The trigger .blf file is specially crafted read the SYSTEM token and write it in the process of the exploit to achieve the local privilege escalation. The exploits creates a controlled memory space by first looping over the CreatePipe function to to create thousands of read-write pipes (which take up 0x90 bytes of memory). It then releases a certain number of pipes from memory and calls CreateLogFile to open the pre-existing spray .blf files which when being opened fill the 0x90 byte gaps created by the deallocation of the pipes in memory, creating the controlled memory space. This is a very brief and high overview description of what the exploit is actually doing. For a more detailed and in depth analysis please refer to the following [reference](https://github.com/fortra/CVE-2023-28252).


  • Ricardo Narvaja
  • Esteban.kazimirow
  • jheysel-r7






Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/local/cve_2023_28252_clfs_driver
msf exploit(cve_2023_28252_clfs_driver) > show targets
msf exploit(cve_2023_28252_clfs_driver) > set TARGET < target-id >
msf exploit(cve_2023_28252_clfs_driver) > show options
    ...show and set options...
msf exploit(cve_2023_28252_clfs_driver) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security