Skip to content

CVE-2022-37969

Common Log File System — SignaturesOffset OOB write via corrupted cbSymbolZone

Exploited in the Wild

This vulnerability was exploited in the wild before or shortly after patching.

Summary

Field Value
Driver clfs.sys
Vulnerability Class Buffer Overflow / Bounds Check
Vulnerable Build 10.0.22621.1 (RTM)
Fixed Build 10.0.22621.521 (KB5019509)
Exploited ITW Yes

Affected Functions

  • CClfsBaseFilePersisted
  • AddSymbol
  • cbSymbolZone

Root Cause

The Common Log File System (CLFS) is a general-purpose logging subsystem in the Windows kernel that manages base log files (.blf). Each BLF file contains internal metadata structures organized into blocks, including a symbol table used to track named log streams and containers. Among the fields in this metadata is cbSymbolZone, which records the current size of the symbol zone within the base metadata block.

The vulnerability lies in how CLFS validates cbSymbolZone when processing a base log file. When a user-mode application opens a BLF file via CreateLogFile, the CLFS driver parses the on-disk metadata and uses cbSymbolZone to compute derived offsets, including SignaturesOffset -- the position within the metadata buffer where CLFS writes integrity signature data. An attacker can craft a malicious BLF file in which cbSymbolZone is set to a value larger than the actual metadata block allocation. Because the driver does not properly bounds-check cbSymbolZone against the container block size, the resulting SignaturesOffset calculation yields a pointer that falls outside the allocated buffer.

When CLFS subsequently writes signature data at the computed SignaturesOffset, it performs an out-of-bounds write relative to the kernel pool allocation backing the metadata block. Critically, this bug is reachable from a low-privileged user-mode context: any user who can create or open a log file can trigger the vulnerability by supplying a crafted .blf file to CreateLogFile. No special privileges or capabilities are required beyond standard file access.

AutoPiff categorizes this as bounds_check with detection rules:

  • added_index_bounds_check
  • added_struct_size_validation

Exploitation

The out-of-bounds write from the corrupted SignaturesOffset provides a relative write primitive: the attacker controls the displacement (via cbSymbolZone) and the data written is the CLFS signature bytes, which are partially predictable. Because the CLFS metadata allocation resides in the kernel paged pool, the write lands at a controlled offset from the start of that allocation, potentially corrupting adjacent pool objects.

Exploitation follows a pool feng shui strategy. The attacker first sprays the paged pool with controlled objects -- commonly pipe attributes, named pipe data entries, or similar pool allocations of a matching size class -- to position them adjacently to the CLFS metadata buffer. After triggering the OOB write via the crafted BLF file, the corrupted bytes overwrite the header or an embedded function pointer of a neighboring pool object. The attacker then interacts with the corrupted object to convert the limited write into a broader read/write primitive, which is escalated to arbitrary kernel memory access and ultimately a token replacement (swapping the current process token with the SYSTEM token).

Multiple threat actor groups exploited CVE-2022-37969 in the wild prior to the availability of the patch. The low barrier to exploitation -- requiring only the ability to write a file and call CreateLogFile -- made it particularly attractive for local privilege escalation in targeted attack chains.

Patch Analysis

The patch shipped in KB5017321 (build 10.0.22621.521) added explicit bounds validation for cbSymbolZone and the derived offset fields within the CLFS base metadata parsing routines. Specifically, the fix ensures that cbSymbolZone does not exceed the size of the metadata block allocation, and that any offset computed from it (including SignaturesOffset) falls within the bounds of the allocated buffer before the driver writes to that location. Additional index bounds checks were introduced in the symbol table lookup and insertion paths to prevent related overflow conditions.

AutoPiff detects these changes through the added_index_bounds_check and added_struct_size_validation rules, which flag the introduction of comparison instructions that gate write operations on the relationship between a field value and a container or buffer size. The patch diff shows new conditional branches in CClfsBaseFilePersisted methods that reject metadata blocks where the symbol zone size would produce out-of-range offsets.

Detection

YARA Rule

rule CVE_2022_37969_CLFS {
    meta:
        description = "Detects vulnerable version of clfs.sys (pre-patch)"
        cve = "CVE-2022-37969"
        author = "KernelSight"
        severity = "high"
    strings:
        $mz = { 4D 5A }
        $driver_name = "clfs.sys" wide ascii nocase
        $blf_marker = { 42 4C 46 30 }
        $vuln_build = "10.0.22621.1" wide ascii
        $func_base_file = "CClfsBaseFilePersisted" ascii
        $func_add_symbol = "AddSymbol" ascii
    condition:
        $mz at 0 and $driver_name and $vuln_build and ($blf_marker or $func_base_file or $func_add_symbol)
}

ETW Indicators

Provider Event / Signal Relevance
Microsoft-Windows-CLFS Log file open / container operations Fires when CreateLogFile parses BLF metadata containing the corrupted cbSymbolZone value
Microsoft-Windows-CLFS Symbol table insertion events Detects AddSymbol operations on a BLF with manipulated symbol zone boundaries
Microsoft-Windows-Kernel-Audit Token modification events Detects the EPROCESS token swap that converts the exploit's pool corruption into SYSTEM privileges
Microsoft-Windows-Security-Auditing Event ID 4672 (Special privileges assigned) Low-privilege process gaining SeTcbPrivilege or SeDebugPrivilege after BLF file interaction
Microsoft-Windows-Security-Auditing Event ID 4688 (Process creation) Post-exploitation SYSTEM-level child process spawned from a previously unprivileged parent

Behavioral Indicators

  • A user-mode process creates or opens a .blf file via CreateLogFile where the on-disk cbSymbolZone value exceeds the actual metadata block size, causing SignaturesOffset to point outside the allocated buffer
  • Paged pool spray activity immediately preceding the CreateLogFile call -- typically pipe attribute allocations (NtFsControlFile with FSCTL_PIPE_ASSIGN_EVENT) or named pipe data entries of a matching size class to position objects adjacent to the CLFS metadata allocation
  • Out-of-bounds write into an adjacent pool object header or embedded pointer, followed by interaction with that corrupted object (e.g., closing a pipe handle to trigger a callback through a corrupted function pointer)
  • Suspicious .blf files appearing in user-writable directories with cbSymbolZone values that are inconsistent with the actual symbol table contents
  • Process token replacement at runtime: the attacking process acquires a SYSTEM token without legitimate elevation, followed by security tooling tampering or lateral movement activity

References