NEWS NTFS + VHD = SYSTEM: How to Trick the Windows Kernel with $LogFile Tricks

[ExcalibuR]

NTFS + VHD = SYSTEM: How to Trick the Windows Kernel with $LogFile Tricks​

The logging mechanism turned out to be a Trojan horse.​

A researcher from Positive Technologies has uncovered a critical vulnerability in NTFS that allows a local attacker to escalate privileges to SYSTEM using a specially crafted Virtual Hard Disk (VHD). The flaw, tracked as CVE-2025-49689, affects Windows 11 version 22H2.

The Vulnerability: Log File Service (LFS) Exploit​

The issue stems from the Log File Service (LFS), which NTFS uses for transaction logging. When mounting a disk, NTFS executes a chain of functions:

• ntfs!NtfsMountVolume → ntfs!InitializeRestartState → ntfs!ReadRestartTable

During this process, the system mishandles the ClientDataLength field in the LFS_RECORD structure. Setting this field to 0xFFFFFFFF triggers an integer overflow, bypassing a critical validation check.

This leads to out-of-bounds memory reads and uncontrolled memmove operations, allowing an attacker to read beyond the allocated buffer in $LogFile. To trigger the exploit:

1. Manipulate LFS structures inside a malicious VHD.
2. Bypass the Lfcb->CachedRestartArea caching mechanism, forcing the system to read a forged RESTART_AREA with fake attribute tables.

From Memory Corruption to Kernel Exploitation​

The attack progresses by forging an OPEN_ATTRIBUTE_DATA structure, which contains a pointer to an SCB (Stream Control Block)—a key NTFS object managing file streams.

When NtfsCloseAttributesFromRestart processes this structure, it interacts with an AVL tree via RtlDeleteElementGenericTableAvl. This allows hijacking execution in the CompareRoutine callback, enabling arbitrary kernel memory writes (write-what-where primitive).

The researcher leveraged RtlpFcBufferManagerReferenceBuffers to turn AVL tree manipulation into a controlled write primitive.

Bypassing Modern Mitigations​

For reliable exploitation, the attack uses:

• IO_RING mechanism to overwrite buffer pointers in _IORING_OBJECT, achieving arbitrary kernel writes.
• Pipe-based memory allocation to bypass SMEP/SMAP.
• A chain of forged structures: SCB → FCB → VCB to manipulate kernel objects.

The final payload replaces the user token with a SYSTEM token, granting full kernel-mode execution—even on systems with CFG (Control Flow Guard) and HVCI (Hypervisor-Protected Code Integrity) enabled.

No Patch Yet – Mitigation Advice​

As of now, Microsoft has not released a security update. Until a fix is available, users should:

• Avoid mounting VHDs from untrusted sources.
• Monitor system events related to $LogFile activity.

This vulnerability highlights how NTFS internals can be weaponized for privilege escalation, proving that even core Windows components can hide dangerous flaws.

Exploit PoC expected soon? Researchers suggest further refining the attack for SMAP bypass and memory exhaustion control to maximize reliability.