gengstah

gengstah

Exploring the spaces between specs — where weird machines live and exploits are born

CimFS — Composite Image File System

Last updated: 2026-04-10
Related: Cve 2024 26170, Primitives, Heap Grooming
Tags: kernel-mode, cimfs, driver, oob-read, dacl-bypass, lpe

Summary

CimFS (cimfs.sys) is a Windows 11 kernel-mode driver implementing the Composite Image File System — a read-only filesystem used for container images (Windows containers, Hyper-V containers) and potentially cloud-based image serving. It is a lightly documented, relatively new attack surface that has yielded LPE vulnerabilities (CVE-2024-26170) despite low public research attention.

The primary attack surface is the kernel IOCTL interface exposed via \Device\cimfs\control, which parses complex binary region files in the kernel. A DACL misconfiguration (missing FILE_DEVICE_SECURE_OPEN) makes the interface reachable by non-admin users, amplifying any parsing vulnerability.

Attack Surface

Device Access

Device path:    \Device\cimfs\control
DACL:           SYSTEM + Administrators only (restrictive)
FILE_DEVICE_SECURE_OPEN: NOT set (critical misconfiguration — patched March 2024)

DACL bypass (pre-patch): The absence of FILE_DEVICE_SECURE_OPEN allows any user to open child device paths that route to the control device:

// Admin-only (DACL enforced):
CreateFileW(L"\\\\.\\CimfsControl", ...);   // FAILS for non-admin

// Any user (DACL bypassed — missing FILE_DEVICE_SECURE_OPEN):
CreateFileW(L"\\??\\CimfsControl\\anything", ...);   // SUCCEEDS

See Primitives § FILE_DEVICE_SECURE_OPEN bypass.

IOCTL Codes

CodeOperation
0x220004Mount volume — parses region file, creates internal filesystem state
0x220014Secondary operation (post-mount; crash target in CVE-2024-26170 PoC)

Reachable Parsing Code

After mount, any subsequent file I/O on the mounted image exercises:

  • Cim::FileSystem::GetDataSegment() — metadata retrieval
  • Cim::FileSystem::GetStreamSegment() — stream segment lookup
  • GetOffsetTruncate() — bounds validation (bypassed by flag byte)
  • NtQueryInformationFile() with FileInformationClass 4–77
  • NtQueryEaFile() — extended attribute parsing

Region File Format

CimFS .cim files consist of:

  • Region file: binary metadata blob (~135,168 bytes for a minimal image)
    • Data segments
    • Stream segments (each 0xB8 bytes)
    • Reparse data
    • Hardlink data
    • Security descriptors
    • File hashes
  • Container files: actual data storage

Format status: Completely undocumented by Microsoft. Must be reverse-engineered from cimfs.sys (with symbols).

Key Parsed Structure: OpenFile

Populated during mount from region file data:

OpenFile fields:
  +0x8C   stream segment identifier (WORD)
  +0x77   control flags byte
              bit 0 = disables GetOffsetTruncate() validation in GetStreamSegment
              (when set by crafted region file → validation bypass → OOB)

Known Vulnerability Classes

1. Insufficient Validation in GetDataSegment (CVE-2024-26170)

Root cause: GetStreamSegment() conditionally skips GetOffsetTruncate() based on flag byte from attacker-controlled region file. Unvalidated offset 0xB8 * (uint16)userControl used to index RegionView → OOB pool read.

Exploit chain: OOB read → fake FILE_OBJECT from spray → fake DEVICE_OBJECT/DRIVER_OBJECT → MajorFunction[3] gadget → null PreviousMode → token steal.

See Cve 2024 26170 for full analysis.

2. DACL Bypass via Missing FILE_DEVICE_SECURE_OPEN

Pre-patch (March 2024): any user could access the device via child path. The vulnerability was exploitable at Medium IL (standard user session) without any other precondition.

Post-patch behavior: Access restricted to SYSTEM/Administrators. Admin-to-Kernel escalation path (for the OOB logic) still exists — the underlying logic was NOT fixed.

Fuzzing CimFS

The StarLabs approach for discovering CVE-2024-26170:

1. Create minimal valid CIM image (use CimFS SDK or craft raw)
2. Mutate: region file bytes at structural offsets (coarse mutation)
3. Dry-run: mount mutated image; skip if mount fails
4. Exercise: for mounted images, call:
   - NtQueryInformationFile() with FileInformationClass 4–77
   - NtQueryEaFile() for extended attributes
   - Read ADS (Alternate Data Streams) of hardlinks
5. Monitor: BSOD / exception in cimfs.sys

Key insight: Always verify mount succeeds before exercising post-mount paths. Crashes in mount path waste iterations and obscure post-mount bugs.

Exploit Primitives Available

From CVE-2024-26170 research, CimFS provides access to:

PrimitiveHow
Kernel pool OOB read (controlled offset)Crafted region file flag byte + uint16 multiplier
Arbitrary kernel function call (1 controlled arg)Fake FILE/DEVICE/DRIVER object chain via pool spray
Null write at [RCX+0x38]DirectComposition gadget via MajorFunction[3]
PreviousMode = 0Null write positioned at KTHREAD.PreviousMode

Defensive Notes

  • Enable Windows Containers security boundaries: Reduce CimFS exposure in container workloads
  • Detection: Watch for non-admin processes opening \Device\cimfs\control or child paths
  • After March 2024 patch: Non-admin can no longer reach the driver; Admin-to-Kernel path technically remains (out-of-scope for Windows security model)

References

  • StarLabs / Ong How Chong — “CimFS: Crashing In Memory, Finding SYSTEM” — starlabs.sg, 2025-03
  • Microsoft MSRC — CVE-2024-26170 — March 2024
  • Microsoft Docs — Composite Image Filesystem (CimFS)