Skip to content

CVE-2023-28252

Common Log File System — OOB write via corrupted base log offset

Exploited in the Wild

This vulnerability was exploited in the wild before or shortly after patching.

Summary

Field Value
Driver clfs.sys
Vulnerability Class Buffer Overflow / Bounds Check
Vulnerable Build 10.0.22621.1265 (KB5023706)
Fixed Build 10.0.22621.1555 (KB5025239)
Exploited ITW Yes

Affected Functions

  • CClfsBaseFilePersisted::WriteMetadataBlock
  • ClfsBaseFlushMetadata
  • CClfsLogFcbPhysical

Root Cause

The vulnerability resides in how the Common Log File System (CLFS) driver parses and processes base log file (BLF) metadata. CLFS maintains internal data structures within BLF files, including container contexts, symbol zones, and base block descriptors. The core flaw is that CClfsBaseFilePersisted::WriteMetadataBlock and related functions such as ClfsBaseFlushMetadata trust offset values embedded in the BLF metadata without adequately validating that they fall within legitimate buffer boundaries. An attacker can craft a malicious BLF file in which fields like cbSymbolZone or base block offsets are manipulated to point outside the allocated metadata region, turning what should be a bounded internal write into an out-of-bounds write.

The corruption is triggered when CLFS processes the tampered metadata during routine log operations such as creating or extending a container. Calling CreateLogFile on the specially crafted .blf file from user mode is sufficient to reach the vulnerable code path, meaning no elevated privileges are required to trigger the bug. Once the corrupted offset is consumed, the driver writes attacker-influenced data to a kernel address determined by the offset delta, producing a powerful relative write primitive.

The root issue is a classic case of insufficient input validation: user-influenced offset fields embedded within on-disk BLF structures are used directly as write targets without confirming they remain within the bounds of the associated metadata buffer. Because BLF files are accessible to low-privileged users and the parsing path is reachable through standard logging APIs, the attack surface is broad and the bug is reliably triggerable.

AutoPiff categorizes this as bounds_check with detection rules:

  • added_len_check_before_memcpy
  • added_bounds_check_on_offset
  • added_index_range_check

Exploitation

The out-of-bounds write gives the attacker a controlled relative write primitive within the kernel pool. Because the corrupted offset determines the displacement from the base of the metadata buffer, and the data written is also influenced through the crafted BLF, the attacker can target adjacent pool allocations with predictable content. The Nokoyawa ransomware campaign, discovered by Kaspersky, used this vulnerability as a local privilege escalation (EoP) primitive to elevate from a standard user to SYSTEM.

Exploitation relied on pool feng shui to shape the kernel heap layout before triggering the bug. The attacker sprayed allocations of a controlled size -- using calls such as NtQuerySystemInformation -- to position predictable objects adjacent to the CLFS container context in the paged pool. When the OOB write fires, it corrupts a field in one of these adjacent allocations. In the Nokoyawa exploit, this was used to overwrite a process token pointer in the current process's EPROCESS structure, replacing the token of the attacker's process with a copy of the SYSTEM token.

The full exploitation chain proceeds as follows: the attacker places a crafted .blf file on disk, opens it with CreateLogFile to trigger CLFS metadata parsing, which performs the out-of-bounds write through the corrupted offset. The write lands on a carefully positioned pool object, enabling the token swap. After the swap, the attacker's process runs with SYSTEM privileges and can execute arbitrary code, deploy ransomware payloads, or disable security tooling.

Patch Analysis

The patch shipped in KB5025239 (build 10.0.22621.1555) adds explicit bounds validation on offset fields within BLF metadata blocks before they are used as write targets. Specifically, range checks were introduced for cbSymbolZone and related offset fields to verify that they fall within the boundaries of the allocated metadata buffer. If an offset exceeds the legitimate range, the operation is rejected before any write occurs, eliminating the out-of-bounds condition entirely.

AutoPiff detects the fix through the added_len_check_before_memcpy, added_bounds_check_on_offset, and added_index_range_check rules, all of which fire on the patched code paths in CClfsBaseFilePersisted::WriteMetadataBlock and ClfsBaseFlushMetadata. The diff between the vulnerable and fixed builds shows new conditional branches that compare offset values against buffer size constants, with early-exit error handling when validation fails. These checks are consistent with Microsoft's broader pattern of hardening CLFS metadata parsing, which has been a recurring source of elevation-of-privilege vulnerabilities.

Detection

YARA Rule

rule CVE_2023_28252_CLFS {
    meta:
        description = "Detects vulnerable version of clfs.sys (pre-patch)"
        cve = "CVE-2023-28252"
        author = "KernelSight"
        severity = "high"
    strings:
        $mz = { 4D 5A }
        $driver_name = "clfs.sys" wide ascii nocase
        $blf_marker = { 42 4C 46 30 }
        $vuln_build = "10.0.22621.1265" wide ascii
        $func_write_meta = "WriteMetadataBlock" ascii
        $func_flush_meta = "FlushMetadata" ascii
    condition:
        $mz at 0 and $driver_name and $vuln_build and ($blf_marker or $func_write_meta or $func_flush_meta)
}

ETW Indicators

Provider Event / Signal Relevance
Microsoft-Windows-CLFS Event ID 6 (Container create/extend) Fires when a BLF container operation triggers the vulnerable WriteMetadataBlock path
Microsoft-Windows-Kernel-Audit Token modification events Detects SYSTEM token swap following successful exploitation
Microsoft-Windows-Security-Auditing Event ID 4672 (Special privileges assigned) Low-privilege process suddenly acquiring SeDebugPrivilege or SeTcbPrivilege after BLF interaction
Microsoft-Windows-Security-Auditing Event ID 4688 (Process creation) Post-exploitation child process spawned with SYSTEM integrity from a previously unprivileged parent
Microsoft-Windows-Kernel-Process Process token change Detects the EPROCESS token pointer overwrite used in the Nokoyawa exploitation chain

Behavioral Indicators

  • A low-privileged process calls CreateLogFile on a crafted .blf file with an abnormally large or negative cbSymbolZone field in the base metadata block
  • Burst of paged pool allocations via NtQuerySystemInformation immediately before the CreateLogFile call, consistent with pool feng shui spray patterns
  • Process token replacement observed at runtime: a standard user process suddenly holds SYSTEM-level token without going through legitimate elevation paths (e.g., UAC, service control manager)
  • Presence of suspicious .blf files in user-writable directories (e.g., %TEMP%, %APPDATA%) with metadata block offsets that exceed the file size
  • Post-exploitation deployment of ransomware payloads or security tooling termination from the newly elevated process

References