CVE-2024-49138
Common Log File System -- heap overflow in LoadContainerQ allows EoP
Exploited in the Wild
This vulnerability was exploited in the wild before or shortly after patching.
Summary
| Field | Value |
|---|---|
| Driver | clfs.sys |
| Vulnerability Class | Buffer Overflow / Bounds Check |
| Vulnerable Build | 10.0.22621.4541 (KB5046617) |
| Fixed Build | 10.0.22621.4601 (KB5048685) |
| Exploited ITW | Yes |
Affected Functions
CClfsBaseFilePersisted::LoadContainerQLoadContainerQ
Root Cause
The Common Log File System (clfs.sys) has been one of the most exploited kernel subsystems in Windows history. BLF (Base Log File) files store metadata about log containers in structured arrays. When a BLF file is opened, CClfsBaseFilePersisted::LoadContainerQ parses the container descriptor array from the file and loads it into kernel pool memory.
The vulnerability is a bounds check failure in this loading process. The BLF file's container descriptor array contains index values that reference entries within the array. LoadContainerQ uses these index values without validating that they fall within the bounds of the allocated container array. A crafted BLF file can contain an index value that exceeds the array size, causing the function to read or write past the end of the allocated buffer.
Since BLF files are user-writable (CLFS APIs like CreateLogFile are accessible from unprivileged contexts), an attacker can craft a malicious BLF file with out-of-bounds container indices and trigger the overflow by opening the log. The result is a heap overflow in the kernel's NonPagedPoolNx with attacker-controlled overflow size.
The in-the-wild exploitation confirms that this is a practical, weaponizable vulnerability.
AutoPiff categorizes this as bounds_check with detection rules:
added_len_check_before_memcpyadded_index_bounds_check
Exploitation
The attacker creates a BLF file in a user-writable temporary directory with manipulated container descriptor arrays. The container index values are set to exceed the allocated array bounds, and the container descriptor data is crafted to produce a controlled overflow when loaded.
Before opening the malicious BLF file, the attacker sprays the kernel pool with named pipe objects or pipe attributes sized to fill the same pool bucket, creating a predictable layout. When LoadContainerQ processes the crafted BLF, the out-of-bounds index causes a write past the container array allocation, corrupting adjacent pool objects.
The corrupted pool object provides a read/write primitive (via corrupted pipe attribute metadata or similar). The attacker escalates to arbitrary kernel read/write and performs a token swap on the current process's EPROCESS for SYSTEM privilege escalation.
HN Security's analysis (linked below) provides a detailed walkthrough of the BLF format manipulation and heap overflow mechanics.
Patch Analysis
The fix in KB5048685 adds bounds checking on container index values in LoadContainerQ. Before accessing the container array, the patched code validates that each index falls within the allocated array bounds. Out-of-bounds indices cause the BLF load to fail with an error status rather than proceeding with the invalid access.
AutoPiff detects this via added_len_check_before_memcpy and added_index_bounds_check.
Detection
YARA Rule
rule CVE_2024_49138_CLFS {
meta:
description = "Detects vulnerable version of clfs.sys (pre-patch)"
cve = "CVE-2024-49138"
author = "KernelSight"
severity = "high"
strings:
$mz = { 4D 5A }
$driver_name = "clfs.sys" wide ascii nocase
$internal_name = "InternalName" wide
$vuln_version = "10.0.22621.4541" wide ascii
$blf_marker = { 42 4C 46 30 }
$func_load = "LoadContainerQ" ascii
condition:
$mz at 0 and $driver_name and $internal_name and $vuln_version
}
rule CVE_2024_49138_BLF_Exploit {
meta:
description = "Detects crafted BLF file targeting LoadContainerQ heap overflow"
cve = "CVE-2024-49138"
author = "KernelSight"
severity = "high"
strings:
$blf_magic = { 42 4C 46 30 }
$overflow_pattern = { ?? ?? ?? ?? ?? ?? 00 00 FF FF FF 7F }
condition:
$blf_magic at 0 and $overflow_pattern in (0..4096)
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
Microsoft-Windows-CLFS |
BLF file open/create events | Detects creation or opening of CLFS log files used as the attack entry point |
Microsoft-Windows-Kernel-Audit |
Token modification events | Captures privilege escalation via token swap after heap overflow exploitation |
Microsoft-Windows-Security-Auditing |
Event 4688 -- Process creation | Identifies unexpected SYSTEM-level process creation following BLF manipulation |
Microsoft-Windows-Kernel-Process |
Process token changes | Detects the token pointer overwrite used to escalate from standard user to SYSTEM |
Behavioral Indicators
- An unprivileged process calling
CreateLogFileto open or create BLF log files with manipulated container descriptor arrays, triggering the heap overflow inLoadContainerQ - Heap overflow in NonPagedPoolNx during CLFS base file metadata loading, with the overflow size controlled by a crafted container index value exceeding the allocated container array bounds
- Pool spray activity using named pipe objects or pipe attributes immediately before BLF file operations, grooming the heap for reliable adjacent allocation control
- Rapid privilege escalation of a low-integrity process to SYSTEM without corresponding UAC prompt or service control manager interaction
- BLF files appearing in user-writable temp directories with abnormal container descriptor counts or offset values that exceed the base record allocation size
Broader Significance
CVE-2024-49138 is yet another entry in the long list of CLFS vulnerabilities that have been exploited in the wild (joining CVE-2023-23376, CVE-2022-37969, and CVE-2023-28252, among others). The CLFS BLF format is essentially a file format parser running at ring 0, and file format parsers are notoriously difficult to make safe. Each BLF structure contains arrays of descriptors with index and offset fields that can be individually manipulated, creating a large combinatorial space of potential bounds-check failures. The repeated exploitation of CLFS suggests that the attack surface is well-understood by threat actors and that defensive teams should treat BLF file creation from unprivileged processes as a high-confidence indicator of exploitation activity.