In April 2023, we published a blog post about a zero-day exploit we discovered in ransomware attacks that was patched as CVE-2023-28252 after we promptly reported it to Microsoft. In that blog post, we mentioned that the zero-day exploit we discovered was very similar to other Microsoft Windows elevation-of-privilege (EoP) exploits that we have seen in ransomware attacks throughout the year. We found that since June 2022, attackers have used exploits for at least five different Common Log File System (CLFS) driver vulnerabilities. Four of these vulnerabilities used by the attackers (CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, CVE-2023-28252) have been captured in the wild as zero-days. Seeing a Win32k driver zero-day being used in attacks isn't really surprising these days, as the design issues with that component are well known and have been exploited time and time again. But we had never seen so many CLFS driver exploits being used in active attacks before, and then suddenly there are so many of them captured in just one year. Is there something seriously wrong with the CLFS driver? Are all these vulnerabilities similar? Was Microsoft somehow lax in patching these vulnerabilities? These questions piqued my interest and encouraged me to take a closer look at the CLFS driver and its vulnerabilities. This study turned out to be quite long, so for the convenience of the reader, it is divided into six parts: This part will cover the internals of the Common Log File System…Read More