Skip to content

CVE-2023-36424

Common Log File System -- pool overflow from unvalidated reparse data

Summary

Field Value
Driver clfs.sys
Vulnerability Class Pool Hardening
Vulnerable Build 10.0.22621.2506 (KB5031455)
Fixed Build 10.0.22621.2715 (KB5032190)
Exploited ITW No

Affected Functions

  • CClfsBaseFilePersisted::FlushImage
  • ClfsBaseFlush

Root Cause

The Common Log File System (clfs.sys) is the Windows kernel's transactional logging subsystem. It manages Base Log Files (.blf files), which store metadata about log containers, including container descriptors, client contexts, and other internal state. When a CLFS log is opened or flushed, the driver parses the BLF file's on-disk structures and loads them into kernel pool memory.

The vulnerability is in CClfsBaseFilePersisted::FlushImage and its helper ClfsBaseFlush. When the driver flushes the in-memory log image back to disk (or loads a log from disk), it processes reparse-like metadata embedded in the BLF structure. The allocation size for the kernel pool buffer is derived from one set of fields in the BLF metadata, but the subsequent copy operation uses a different, potentially larger length value from the same structure. If these values are inconsistent (which a crafted BLF file can arrange), the copy overruns the allocated pool buffer.

Because BLF files are user-writable and CLFS APIs like CreateLogFile are accessible from unprivileged contexts, an attacker can craft a malicious BLF file and trigger the overflow by opening the log.

The patch also modernized the pool allocation API, replacing deprecated calls with their safer equivalents. AutoPiff categorizes this as pool_hardening with detection rules:

  • pool_allocation_null_check_added
  • deprecated_pool_api_replacement

Exploitation

The pool overflow gives a relative write into adjacent kernel pool allocations. The attacker crafts a .blf file with manipulated metadata fields that create a size mismatch between the allocation and the copy. Before opening the malicious log, the attacker sprays the kernel pool with objects of the correct size class, creating a predictable layout. The overflow corrupts an adjacent object's header or data fields, which the attacker then manipulates through normal API calls to build an arbitrary read/write primitive.

From arbitrary read/write, the exploitation follows the well-trodden path of locating the current process's EPROCESS structure and swapping its token with the SYSTEM token.

Failed exploitation attempts on this bug tend to produce BAD_POOL_HEADER or POOL_CORRUPTION_IN_FILE_AREA bugchecks, which defenders can use as a signal.

Patch Analysis

The patch in KB5032190 addresses both the overflow and the pool allocation hygiene. The vulnerable code path now validates that the data length does not exceed the allocated buffer size before performing the copy. Additionally, deprecated pool allocation APIs (ExAllocatePoolWithTag) were replaced with their modern counterparts that include mandatory null checks and pool type enforcement.

AutoPiff detects this via pool_allocation_null_check_added and deprecated_pool_api_replacement.

Detection

YARA Rule

rule CVE_2023_36424_CLFS {
    meta:
        description = "Detects vulnerable version of clfs.sys (pre-patch)"
        cve = "CVE-2023-36424"
        author = "KernelSight"
        severity = "high"
    strings:
        $mz = { 4D 5A }
        $driver_name = "clfs.sys" wide ascii nocase
        $vuln_build = "10.0.22621.2506" wide ascii
        $flush_func = "CClfsBaseFilePersisted::FlushImage" ascii
        $base_flush = "ClfsBaseFlush" ascii
    condition:
        $mz at 0 and $driver_name and $vuln_build and any of ($flush_func, $base_flush)
}

ETW Indicators

Provider Event / Signal Relevance
Microsoft-Windows-CLFS BLF file create/flush operations Monitors Common Log File System activity for crafted log files that trigger the pool overflow
Microsoft-Windows-Kernel-Audit Token modification (Event ID 4672) Captures privilege escalation resulting from pool corruption
Microsoft-Windows-Security-Auditing Object access on .blf files (Event ID 4663) Detects creation or manipulation of CLFS base log files used to deliver the malformed reparse data
Microsoft-Windows-Kernel-Process Process token change Detects the exploiting process obtaining elevated privileges after pool corruption

Behavioral Indicators

  • A user-mode process creates or opens .blf (Base Log File) files with malformed reparse data designed to trigger an overflow during the FlushImage code path
  • Kernel pool allocations in the paged or non-paged pool show corruption patterns consistent with an overflow from a CLFS metadata buffer overrunning its allocation boundary
  • Pool spray operations using objects of a specific size to groom adjacent allocations and position a controllable victim object next to the overflowed CLFS buffer
  • A non-privileged process calling CLFS APIs (CreateLogFile, FlushLogBuffers) in unusual patterns without legitimate logging activity
  • Bugcheck BAD_POOL_HEADER or POOL_CORRUPTION_IN_FILE_AREA on systems where exploitation fails, indicating pool metadata was overwritten

Broader Significance

CLFS has been one of the most productive vulnerability surfaces in the Windows kernel. The BLF file format is complex, parsed at high privilege, and accessible from user mode, creating a persistent attacker-friendly intersection. CVE-2023-36424 is one of many CLFS bugs (including CVE-2024-49138, CVE-2023-23376, and CVE-2022-37969) that follow the same pattern: crafted BLF metadata triggers a bounds-check failure during parsing, leading to pool corruption and privilege escalation. The CLFS attack surface is essentially a file-format fuzzing target that runs in ring 0.

References