There is a pool overflow in clfs.sys mini filter driver. Information on this can be read on:
1 - https://googleprojectzero.blogspot.com/2021/01/hunting-for-bugs-in-windows-mini-filter.html
2 - https://www.zerodayinitiative.com/blog/2021/7/19/cve-2021-31969-underflowing-in-the-clouds
The reason is that the driver is not sufficiently checks a data that comes from NTFS reparse point.
We will consider clfs.sys version 10.0.22621.2134 (Windows 11 22H2 22621.2215)
The function HsmFltProcessHSMControl is responsible for processing cloud filter FSCTLs. For an operation with code 0xC0000003 , it will eventually call HsmFltProcessUpdatePlaceholder .
HsmpRpReadBuffer
[1*] retrieves reparse point data. This data contains WORD-size value *((_WORD *)v8 + 7) , specifying a count of the structured items. Each item has a Type field, Size and Offset to data fields.
Which item type in which place is strictly predetermined. But only for the first 10 ones. For example, the type field of the first item must have a value equal to 0x7.
The driver will execute HsmpRpValidateBuffer [2*] to verify acquired data. Then [3*] will be allocated paged pool with fixed 0x4000 bytes size. And if reparsed point data has a Count value more than 10, then the
data of the items after the tenth will be copied into this fixed-size pool [4*] without any additional checks.
As we can see [1*] the code will verify only the first 10 items and ignores the case when there are more records.
Exploitation
=================
The size of the vulnerable pool is 0x4000. The size is a multiple of page and therefore the segment allocation will be used [3].
For exploitation was used the technique described here[4]. Calling NtAlpcCreateResourceReserve will create a lot of handles and ovewriting one of them with the pointer to constructed fake _KALPC_RESERVE object will give us the ability to write to arbitrary kernel address.