Windows CLFS日志提权漏洞分析与教学文档<\/h1>

1. CLFS基础概念<\/h2>

1.1 CLFS概述<\/h3>
Common Log File System (CLFS)是Windows提供的高性能、通用日志文件子系统，允许专用客户机应用程序使用，多个客户机可以共享以优化日志访问。<\/p>

1.2 关键API<\/h3>

CLFSUSER_API HANDLE CreateLogFile<\/span>(
<\/span><\/span>  [in] LPCWSTR pszLogFileName,
<\/span><\/span>  [in] ACCESS_MASK fDesiredAccess,
<\/span><\/span>  [in] DWORD dwShareMode,
<\/span><\/span>  [in, optional] LPSECURITY_ATTRIBUTES psaLogFile,
<\/span><\/span>  [in] ULONG fCreateDisposition,
<\/span><\/span>  [in] ULONG fFlagsAndAttributes
<\/span><\/span>);
<\/span><\/span><\/code><\/pre>1.3 CLFS数据结构类型<\/h3>

存储在内核态内存中并附加到对象(如附加到File object的FCB)<\/li>
临时存储在用户态或内核态调用者内存中<\/li>
持久化存储在磁盘上的基本日志文件(BLF)<\/li>
<\/ol>
2. 关键数据结构<\/h2>
2.1 LOG_BLOCK结构<\/h3>
typedef<\/span> struct<\/span> _CLFS_LOG_BLOCK_HEADER {
<\/span><\/span>    UCHAR MajorVersion;
<\/span><\/span>    UCHAR MinorVersion;
<\/span><\/span>    UCHAR Usn;
<\/span><\/span>    CLFS_CLIENT_ID ClientId;
<\/span><\/span>    USHORT TotalSectorCount;
<\/span><\/span>    USHORT ValidSectorCount;
<\/span><\/span>    ULONG Padding;
<\/span><\/span>    ULONG Checksum;  \/\/ CRC32校验和
<\/span><\/span><\/span><\/span>    ULONG Flags;
<\/span><\/span>    CLFS_LSN CurrentLsn;
<\/span><\/span>    CLFS_LSN NextLsn;
<\/span><\/span>    ULONG RecordOffsets[16<\/span>];  \/\/ 日志块中记录的偏移量数组
<\/span><\/span><\/span><\/span>    ULONG SignaturesOffset;   \/\/ 签名数组偏移
<\/span><\/span><\/span><\/span>} CLFS_LOG_BLOCK_HEADER, *<\/span>PCLFS_LOG_BLOCK_HEADER;
<\/span><\/span><\/code><\/pre>2.2 BASE_RECORD结构<\/h3>
typedef<\/span> struct<\/span> _CLFS_BASE_RECORD_HEADER {
<\/span><\/span>    CLFS_METADATA_RECORD_HEADER hdrBaseRecord;
<\/span><\/span>    CLFS_LOG_ID cidLog;
<\/span><\/span>    ULONGLONG rgClientSymTbl[CLIENT_SYMTBL_SIZE];
<\/span><\/span>    ULONGLONG rgContainerSymTbl[CONTAINER_SYMTBL_SIZE];
<\/span><\/span>    ULONGLONG rgSecuritySymTbl[SHARED_SECURITY_SYMTBL_SIZE];
<\/span><\/span>    ULONG cNextContainer;
<\/span><\/span>    CLFS_CLIENT_ID cNextClient;
<\/span><\/span>    ULONG cFreeContainers;
<\/span><\/span>    ULONG cActiveContainers;  \/\/ 当前活跃容器数
<\/span><\/span><\/span><\/span>    ULONG cbFreeContainers;
<\/span><\/span>    ULONG cbBusyContainers;
<\/span><\/span>    ULONG rgClients[MAX_CLIENTS_DEFAULT];
<\/span><\/span>    ULONG rgContainers[MAX_CONTAINERS_DEFAULT];  \/\/ 容器上下文偏移数组
<\/span><\/span><\/span><\/span>    ULONG cbSymbolZone;  \/\/ 关键字段，用于计算新增容器应略过的空间
<\/span><\/span><\/span><\/span>    ULONG cbSector;
<\/span><\/span>    USHORT bUnused;
<\/span><\/span>    CLFS_LOG_STATE eLogState;
<\/span><\/span>    UCHAR cUsn;
<\/span><\/span>    UCHAR cClients;
<\/span><\/span>} CLFS_BASE_RECORD_HEADER, *<\/span>PCLFS_BASE_RECORD_HEADER;
<\/span><\/span><\/code><\/pre>2.3 CONTAINER_CONTEXT结构<\/h3>
typedef<\/span> struct<\/span> _CLFS_CONTAINER_CONTEXT {
<\/span><\/span>    CLFS_NODE_ID cidNode;
<\/span><\/span>    ULONGLONG cbContainer;
<\/span><\/span>    CLFS_CONTAINER_ID cidContainer;
<\/span><\/span>    CLFS_CONTAINER_ID cidQueue;
<\/span><\/span>    union<\/span> {
<\/span><\/span>        CClfsContainer*<\/span> pContainer;  \/\/ 关键指针，指向内核对象
<\/span><\/span><\/span><\/span>        ULONGLONG ullAlignment;
<\/span><\/span>    };
<\/span><\/span>    CLFS_USN usnCurrent;
<\/span><\/span>    CLFS_CONTAINER_STATE eState;
<\/span><\/span>    ULONG cbPrevOffset;
<\/span><\/span>    ULONG cbNextOffset;
<\/span><\/span>} CLFS_CONTAINER_CONTEXT, *<\/span>PCLFS_CONTAINER_CONTEXT;
<\/span><\/span><\/code><\/pre>2.4 CONTROL_RECORD结构<\/h3>
typedef<\/span> struct<\/span> _CLFS_CONTROL_RECORD {
<\/span><\/span>    CLFS_METADATA_RECORD_HEADER hdrControlRecord;
<\/span><\/span>    ULONGLONG ullMagicValue;
<\/span><\/span>    ULONG Version;
<\/span><\/span>    CLFS_EXTEND_STATE eExtendState;  \/\/ 扩展状态
<\/span><\/span><\/span><\/span>    USHORT iExtendBlock;  \/\/ 扩展块索引
<\/span><\/span><\/span><\/span>    USHORT iFlushBlock;   \/\/ 正在写入的块索引
<\/span><\/span><\/span><\/span>    ULONG cNewBlockSectors;  \/\/ 新块大小(扇区)
<\/span><\/span><\/span><\/span>    ULONG cExtendStartSectors;  \/\/ 原始块大小
<\/span><\/span><\/span><\/span>    ULONG cExtendSectors;  \/\/ 添加的扇区数
<\/span><\/span><\/span><\/span>    CLFS_TRUNCATE_CONTEXT cxTruncate;
<\/span><\/span>    ULONG cBlocks;  \/\/ 块数量
<\/span><\/span><\/span><\/span>    ULONG cReserved;
<\/span><\/span>    CLFS_METADATA_BLOCK rgBlocks[6<\/span>];  \/\/ 元数据块数组
<\/span><\/span><\/span><\/span>} CLFS_CONTROL_RECORD;
<\/span><\/span><\/code><\/pre>2.5 METADATA_BLOCK结构<\/h3>
typedef<\/span> struct<\/span> _CLFS_METADATA_BLOCK {
<\/span><\/span>    ULONGLONG pbImage;  \/\/ 图像指针
<\/span><\/span><\/span><\/span>    ULONG cbImage;      \/\/ 图像大小
<\/span><\/span><\/span><\/span>    ULONG cbOffset;     \/\/ 偏移量
<\/span><\/span><\/span><\/span>    CLFS_METADATA_BLOCK_TYPE eBlockType;
<\/span><\/span>    ULONG Padding;
<\/span><\/span>} CLFS_METADATA_BLOCK;
<\/span><\/span><\/code><\/pre>3. 关键函数分析<\/h2>
3.1 编码\/解码函数<\/h3>

ClfsEncodeBlock<\/code>: 对日志块进行编码<\/li>
ClfsDecodeBlock<\/code>: 对日志块进行解码<\/li>
ClfsEncodeBlockPrivate<\/code>: 内部编码函数<\/li>
CCrc32::ComputeCrc32<\/code>: 计算CRC32校验和<\/li>
<\/ul>
3.2 容器操作函数<\/h3>

CClfsBaseFilePersisted::LoadContainerQ<\/code><\/li>
CClfsBaseFilePersisted::RemoveContainer<\/code><\/li>
CClfsBaseFilePersisted::FlushImage<\/code><\/li>
CClfsBaseFilePersisted::WriteMetadataBlock<\/code><\/li>
CClfsBaseFilePersisted::ReadImage<\/code><\/li>
CClfsBaseFilePersisted::OpenImage<\/code><\/li>
CClfsBaseFilePersisted::ExtendMetadataBlock<\/code><\/li>
CClfsBaseFilePersisted::FlushControlRecord<\/code><\/li>
CClfsBaseFile::GetControlRecord<\/code><\/li>
<\/ul>
4. 漏洞分析<\/h2>
4.1 CVE-2022-24521<\/h3>
漏洞位置<\/strong>: CClfsBaseFilePersisted::LoadContainerQ<\/code><\/p>
漏洞成因<\/strong>:<\/p>

当CLFS_CONTAINER_CONTEXT->cidQueue<\/code>为-1时，pContainer<\/code>被置0<\/li>
调用RemoveContainer<\/code> -> FlushImage<\/code> -> WriteMetadataBlock<\/code><\/li>
ClfsEncodeBlock<\/code>编码时会将每0x200字节的后两字节写入SignaturesOffset<\/code><\/li>
通过修改SignaturesOffset<\/code>使其与pContainer<\/code>指针相交，编码时覆盖pContainer<\/code><\/li>
最终FlushImage<\/code>调用被覆盖的pContainer<\/code>导致RIP控制<\/li>
<\/ol>
4.2 CVE-2022-30220<\/h3>
漏洞位置<\/strong>: CClfsBaseFilePersisted::ReadImage<\/code><\/p>
漏洞成因<\/strong>:<\/p>

对cBlocks<\/code>值校验不足(if (cBlocks > 6u)<\/code>)<\/li>
分配24和2大小的池空间后执行memmove<\/code><\/li>
当cBlocks<\/code>值异常导致分配0大小空间<\/li>
后续操作未初始化空间导致崩溃<\/li>
<\/ol>
4.3 CVE-2022-37969<\/h3>
漏洞位置<\/strong>: CClfsBaseFilePersisted::AllocSymbol<\/code><\/p>
漏洞成因<\/strong>:<\/p>

直接使用BLF文件中的cbSymbolZone<\/code>值无严格边界检查<\/li>
通过操作cbSymbolZone<\/code>可改写container和pContainer<\/code>指针<\/li>
绕过cbSymbolZone<\/code>与SignaturesOffset<\/code>的比较验证<\/li>
memset()<\/code>导致越界写入，破坏CLFS_CONTAINER_CONTEXT<\/code>结构<\/li>
<\/ol>
4.4 CVE-2023-23376<\/h3>
漏洞位置<\/strong>: CClfsBaseFilePersisted::OpenImage<\/code>和ExtendMetadataBlock<\/code><\/p>
漏洞成因<\/strong>:<\/p>

OpenImage<\/code>检查iExtendBlock<\/code>和iFlushBlock<\/code>应小于6<\/li>
ExtendMetadataBlock<\/code>不检查这些索引<\/li>
通过修改CLFS_CONTROL_RECORD<\/code>中的eExtendState<\/code>等字段<\/li>
递增DumpCount<\/code>使ClfsEncodeBlock<\/code>覆盖RecordOffsets[0]<\/code><\/li>
执行被修改的CLFS_CONTROL_RECORD<\/code><\/li>
<\/ol>
4.5 CVE-2023-28252<\/h3>
漏洞成因<\/strong>:<\/p>

WriteMetadataBlock<\/code>调用ClfsEncodeBlock<\/code>时校验和置0<\/li>
ClfsEncodeBlockPrivate<\/code>检测异常返回错误码但不更新校验和<\/li>
元数据块校验和为0绕过OpenImage<\/code>检查<\/li>
CreateLogFile<\/code>调用CheckSecureAccess<\/code>遍历容器获取pContainer<\/code><\/li>
构造容器修改偏移，使pContainer<\/code>指向用户空间构造的虚函数布局<\/li>
<\/ol>
5. 漏洞利用模式总结<\/h2>

指针覆盖<\/strong>: 通过编码过程覆盖关键指针(如pContainer<\/code>)<\/li>
边界检查缺失<\/strong>: 对关键字段(cbSymbolZone<\/code>, cBlocks<\/code>等)缺乏严格验证<\/li>
逻辑漏洞<\/strong>: 函数间检查不一致(OpenImage<\/code>与ExtendMetadataBlock<\/code>)<\/li>
校验绕过<\/strong>: 利用错误处理路径绕过校验(校验和置0)<\/li>
内存破坏<\/strong>: 通过越界写入破坏关键数据结构<\/li>
<\/ol>
6. 防御建议<\/h2>

对所有从BLF文件读取的字段进行严格验证<\/li>
确保相关函数间对同一字段的检查一致<\/li>
加强指针操作的验证和保护<\/li>
完善错误处理路径，避免绕过安全检查<\/li>
对关键数据结构增加保护机制(如Canary)<\/li>
<\/ol>
7. 研究价值<\/h2>
CLFS驱动漏洞系列展示了:<\/p>

复杂日志系统的安全挑战<\/li>
内核驱动中指针操作的脆弱性<\/li>
补丁绕过技术的演变<\/li>
Windows内核漏洞挖掘的方法论<\/li>
<\/ol>

Windows CLFS日志提权漏洞分析与教学文档<\/h1>

1. CLFS基础概念<\/h2>

1.1 CLFS概述<\/h3> Common Log File System (CLFS)是Windows提供的高性能、通用日志文件子系统，允许专用客户机应用程序使用，多个客户机可以共享以优化日志访问。<\/p>

2. 关键数据结构<\/h2>

3. 关键函数分析<\/h2>

4. 漏洞分析<\/h2>

7. 研究价值<\/h2> CLFS驱动漏洞系列展示了:<\/p> 复杂日志系统的安全挑战<\/li> 内核驱动中指针操作的脆弱性<\/li> 补丁绕过技术的演变<\/li> Windows内核漏洞挖掘的方法论<\/li> <\/ol>

1.1 CLFS概述<\/h3>
Common Log File System (CLFS)是Windows提供的高性能、通用日志文件子系统，允许专用客户机应用程序使用，多个客户机可以共享以优化日志访问。<\/p>

7. 研究价值<\/h2>
CLFS驱动漏洞系列展示了:<\/p>

复杂日志系统的安全挑战<\/li>
内核驱动中指针操作的脆弱性<\/li>
补丁绕过技术的演变<\/li>
Windows内核漏洞挖掘的方法论<\/li> <\/ol>