Windows Common Log File System (CLFS) Logical-Error Vulnerability [CVE-2022-24521]

We discussed this vulnerability during Episode 142 on 03 May 2022

Memory corruption issue in CLFS. The issue comes down to the parsing of log blocks when loading log files from disk.

Background The main structure that make up a log block is the base block, which consists of a log block header of metadata followed by record entries. These records have a two-byte signature attached to them, which is referenced when decoding the block for consistency guarantees. Records also have a header which contains an array of offsets to associated contexts (or “containers”) for that record. Contexts have some sensitive fields, namely pContainer, which is a kernel pointer that points to the parent container class for that context. As such, care has to be taken when loading files from disk - this field must be zero’d, otherwise the user could control a kernel pointer which contains function pointers that get called in RemoveContainer() later on.

The bug The problem is the lack of validation on the signature offset that gets read from the block header. It’s possible to set this signature offset to intersect with the context object, specifically that pContainer field. When decoded, this will give a user the ability to corrupt pContainer after it had been zero’d, allowing them direct control over the remove and destroy function pointers that are called in RemoveContainer().