CVE-2023-36424
Common Log File System — pool overflow from unvalidated reparse data
Summary
| Field | Value |
|---|---|
| Driver | clfs.sys |
| Vulnerability Class | Pool Hardening |
| Vulnerable Build | 10.0.22621.2506 (KB5031455) |
| Fixed Build | 10.0.22621.2715 (KB5032190) |
| Exploited ITW | No |
Affected Functions
CClfsBaseFilePersisted::FlushImageClfsBaseFlush
Root Cause
AutoPiff categorizes this as pool_hardening with detection rules:
pool_allocation_null_check_addeddeprecated_pool_api_replacement
Exploitation
Patch Analysis
Detection
YARA Rule
rule CVE_2023_36424_CLFS {
meta:
description = "Detects vulnerable version of clfs.sys (pre-patch)"
cve = "CVE-2023-36424"
author = "KernelSight"
severity = "high"
strings:
$mz = { 4D 5A }
$driver_name = "clfs.sys" wide ascii nocase
$vuln_build = "10.0.22621.2506" wide ascii
$flush_func = "CClfsBaseFilePersisted::FlushImage" ascii
$base_flush = "ClfsBaseFlush" ascii
condition:
$mz at 0 and $driver_name and $vuln_build and any of ($flush_func, $base_flush)
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
Microsoft-Windows-CLFS |
BLF file create/flush operations | Monitors Common Log File System activity for crafted log files that trigger the pool overflow |
Microsoft-Windows-Kernel-Audit |
Token modification (Event ID 4672) | Captures privilege escalation resulting from pool corruption |
Microsoft-Windows-Security-Auditing |
Object access on .blf files (Event ID 4663) |
Detects creation or manipulation of CLFS base log files used to deliver the malformed reparse data |
Microsoft-Windows-Kernel-Process |
Process token change | Detects the exploiting process obtaining elevated privileges after pool corruption |
Behavioral Indicators
- A user-mode process creates or opens
.blf(Base Log File) files with malformed reparse data designed to trigger an overflow during theFlushImagecode path - Kernel pool allocations in the paged or non-paged pool show corruption patterns consistent with an overflow from a CLFS metadata buffer overrunning its allocation boundary
- Pool spray operations using objects of a specific size to groom adjacent allocations and position a controllable victim object next to the overflowed CLFS buffer
- A non-privileged process calling CLFS APIs (
CreateLogFile,FlushLogBuffers) in unusual patterns without legitimate logging activity - Bugcheck
BAD_POOL_HEADERorPOOL_CORRUPTION_IN_FILE_AREAon systems where exploitation fails, indicating pool metadata was overwritten