Understanding the CVE-2022-37969 Windows Common Log File System Driver Local Privilege Escalation

In this article we would like to share the analysis and work done on CVE-2022-37969 to build a functional PoC based on previously published information by Zscaler. Here we will complement the available information by adding details, guiding the reader to the in-depth understanding of the vulnerability, exploiting it, reversing the patch, and the creation of a functional PoC.

Here is a summary of the exploitation walkthrough

Creating the initial BLF log file
Creating multiple random BLF log files
Crafting the initial log file
Performing a controlled Heap Spray
Preparing the methods CreatePipe() / NtFsControlFile()
Once memory is prepared, the vulnerability will be triggered
Reading the System Token
Validating the token
Overwrite our process token with the system one
Executing process as system
Reversing the Patch: Analyzing the structures
Corrupting the “pContainer” pointer
Revisiting the Patch
Corrupting the SignatureOffset
Corrupting more values
Controlling the functions that allows to read the SYSTEM token
Write our own process to achieve the local privilege escalation
PoC source code

The scenario used here was completed in Windows 11 21H2 (OS Build 22000.918) clfs.sys v10.0.22000.918.

Creating the Initial BLF Log File

The first step is to create a file named MyLog.blf in the public folder (%public%), by using the CreateLogFile() function:

cve-2022-37969_image_02_create_base_log_file

Creating Multiple Random BLF Log Files

It will then create several log files with random names using a Loop.

And within the loop, it calls to our getBigPoolInfo() function:

It calls the NtQuerySystemInformation(), with 0x42 (66 decimal) as the first argument. It will return the information in v5 about the raids made in the bigpool, whose structure is of type SYSTEM_BIGPOOL_INFORMATION.

cve-2022-37969_image_05_system_big_pool_infor

This function needs to be called twice. The first one will return an error, but will give us the correct size of the buffer needed to call the second time to obtain the desired information.

cve-2022-37969_image_06_fn_nt_query_system_info

v5 will receive the information of the SYSTEM_BIG_POOL_INFORMATION structure.

The number of allocations in the bigpool is stored in the first field called Count. In the second field there is an array of structures called SYSTEM_BIGPOOL_ENTRY.

cve-2022-37969_image_08_system_big_pool_entry_layout

From there we’ll search through all the structures for the "Clfs" tag and the size 0x7a00.

The VirtualAddress is stored in an array called kernelAddrArray, which is the first field of each structure that has CLFS tag and size 0x7a00. We’ll call the pools that meet both conditions “right pools.”

cve-2022-37969_image_11_right_pool_array

In addition to storing each right pool in the array, it stores the last right pool found in the content of a2 variable, which is used as an argument of the function.

In this way a2 always points to the last right pool with CLFS tag and size 0x7a00 created.

The variable v26 always stores the previous right pool found since it is equal to v24 (v26=v24), before calling getBigPoolinfo(), but v24 is updated when leaving this call with the last right pool found, and v26 stays with the previous right pool.

It then subtracts both directions, and, in case the result is negative, inverts the operands so that it is always positive.

In this way v32 will store the difference between the VirtualAddress of the last two right pools found.

Then it performs a similar action. In this case v23 is initially zero so it does v23=v32 the first time.

The next time it still has the same value in loop v23 and is not zero, so it breaks and goes here.

V32 has the last difference. If v32 and v23 they are equal, it comes out and increments one, but resets the counter to zero.

The idea is to find six consecutive comparisons of CLFS tags and size 0x7a00 whose differences are equal. That difference will be 0x11000. When executing this, we will see that when it finds six (since it starts from scratch) consecutive with equal distances it will display the value of difference between them.

There we see that six consecutive comparisons were found, leaving the loop of log creation files.

In the "public" folder we can see the files created:

Crafting the initial log file:

Our craftFile() function opens the original file (MyLog.blf) and modifies it to trigger the bug.

After modifying the file, it's necessary to change the CRC32, otherwise we'll get a corrupt file error.

This value is located at offset 0x80C of the file.

cve-2022-37969_image_21_crccalculatorandfix

Performing a Controlled Heap Spray

Next, it performs a HeapSpray, using the VirtualAlloc() function to allocate memory, at arbitrary addresses 0x10000 and 0x5000000 respectively, and saving in the second allocation (0x10000), the value 0x5000000, every 0x10 bytes.

Preparing the Methods CreatePipe() / NtFsControlFile()

CreatePipe() is used to create an anonymous pipe and call NtFsControlFile() using 0x11003c as an argument to add an attribute. Later you can call this same function with the 0x110038 argument to read it.

More details of this method can be found HERE.

cve-2022-37969_image_23_ntfs_control_file

Next we see the input buffer, which is the attribute we are adding. If we call NtFsControlFile() again with the argument 0x11038 in the output, it should return this same attribute.

Search the pool for the tag of the created attribute (NpAt).

When it finds it, it saves it in v30.Pointer, which is the VirtualAddress of this pool.

V30.pointer+24 points to the AttributeValueSize in the kernel pool and saves it in one of the HeapSprays we’ve made before.

The idea is to write to that kernel address+8 in order to overwrite the AttributeValue.

cve-2022-37969_image_27_attribute_value_size

cve-2022-37969_image_28_list_entry_structure

The PipeAttribute structure has a LIST_ENTRY as its first field, which has a size of 16 bytes. It then has a pointer to the name of the attribute which has a size of 8 bytes. It then comes in 0x18 (24 decimal), which is the AttributeValueSize field that in which we are storing in the HeapSpray.

After that, we load in CLFS.sys and ntoskrnl in usermode. By using GetProcAddress(), we find the addresses of the ClfsEarlierLsn() and SeSetAccessStateGenericMapping() functions.

cve-2022-37969_image_29_load_library_exw

Then we call the FindKernelModulesBase() function that will find the kernel base of both same modules using NtquerySystemInformation(), this time with the SystemModuleInformation argument needed to return the info about all the modules.

In this way, we can calculate the offset of each function, and then obtain them in kernel.

cve-2022-37969_image_31_calculate_offset

Once Memory is Prepared, the Vulnerability Will Be Triggered:

The pipeArbitraryWrite() function is called twice, there is a flag that initially is zero for the first call and when it is value 1 in the second call, it will change the values of the HeapSpray.

cve-2022-37969_image_32_pipe_arbitrary_write

In the first call in the 0x5000000 memory address, the following values are located:

Remember that this value, in addition to alloc in that direction, is stored in our HeapSpray.

cve-2022-37969_image_34_alloc_heap_spray

This is the memory after the first call, in the address of around 0x5000000:

cve-2022-37969_image_35_memory_after_first_call

And in the HeapSpray from memory 0x10000 it will store the pointer to AttributeValueSize every 0x10 bytes, besides the pointer to 0x5000000.

cve-2022-37969_image_36_attributevaluesize

Reading the System Token:

This sequence will trigger the bug:

CreateLogFile() is called again on the crafted file and then another with a random name.

AddLogContainer() is then called using the handles of those files.

cve-2022-37969_image_38_call_add_log_container

The NtSetinformationFile() is called, and the handles are closed with which the pointer is corrupted. (This will be explained later.)

cve-2022-37969_image_39_ntsetinformationfile

The HeapSpray prevents a BSOD from occurring at this point:

cve-2022-37969_image_40_call_guard_dispatch_icall_fptr

Setting a breakpoint there, we can see that the pointer is corrupt and points to our HeapSpray, with which we can handle the next two function calls of the vtable.

RAX takes the value 0x5000000 and jumps first to the function located at 0x5000000+18 and then to 0x5000000+8.

cve-2022-37969_image_43_rax_takes_value_0x50000000

cve-2022-37969_image_44_pipe_arbitrary_write_puint64

So the first jump is to fnClfsEarlierLsn() and then to fnSeSetAccessStateGenericMapping().

Tracing from the breakpoint, we can see that it reaches CLFS!ClfsEarlierLsn().

cve-2022-37969_image_45_reaches_clfs_earlier_lsn

This function is called exclusively because when it returns, it sets EDX to 0xFFFFFFFF.

cve-2022-37969_image_46_called_exclusively

In the address 0xFFFFFFFF we had stored the result of the SYSTEM _EPROCESS & 0xFFFFFFFFFFFFFFF000.

cve-2022-37969_image_47_stored_result_system_eprocess

As we mentioned, when returning from CLFS!ClfsEarlierLsn(), the RDX value is 0x00000000FFFFFFFF.

cve-2022-37969_image_48_returning_clfs_clfsearlierlsn_rdx

We then come to the second function of nt!SeSetAccessStateGenericMapping().

cve-2022-37969_image_49_sesetaccessstategenericmapping

This function is useful, since RCX points to our HeapSpray and the RDX value, whose content we control, is 0xFFFFFFFF.

cve-2022-37969_image_50_useful_function_rcx

cve-2022-37969_image_51_controlled_content

The content of RCX+0x48 has the pointer to AttributeValueSize that was stored in v30.Pointer+24

cve-2022-37969_image_52_struct_pipe_attribute_attribute_value_size

That pointer value of AttributeValueSize is moved to RAX. It then reads the contents of the address 0xFFFFFFFF, where we had stored the address of the SYSTEM _EPROCESS & 0xFFFFFFFFFFFFFFF000.

cve-2022-37969_image_55_system_e_process

It then overwrites the next field in RAX+8, which is the AttributeValue().

cve-2022-37969_image_56_overwrites_next_field_rax8

Of course, the AttributeValue would normally point to the attribute we added in kernel.

cve-2022-37969_image_58_normally_point_to_attribute

And now we’ll overwrite it with a pointer of the result of the system _EPROCESS & 0xFFFFFFFFFFFFFFF00.

This will mean that when we call the NtFsControlFile() function again, (this time with the 0x110038 argument to read the attribute instead of returning the "A” that were pointed by the AttributeValue pointer) it will now read the requested number of bytes from _EPRROCESS & 0xFFFFFFFFFFFFFFFFF000 and return it in the output buffer with which we can obtain in the first call the value of the SYSTEM TOKEN.

cve-2022-37969_image_59_return_in_output_buffer

v9b is the start address of the Output Buffer where the content of the result of System EPROCESS & 0xFFFFFFFFFFFFFFF000 were copied.

To that we’ll add v14, which are the last 3 bytes of the System EPROCESS. Then 0x4b8, which is the offset of Token for this version of Windows 11, will find the contents of that address that will have saved the value of the System Token.

cve-2022-37969_image_60_v14_system_eprocess

cve-2022-37969_image_61_system_token_value

Validating the Token

cve-2022-37969_image_62_validating_token

Remember that the last 4 bits were changed. As this is not significant, the value still matches.

Overwrite Our Process Token With the System One

In the second call the value of the Flag is 1, since it was incremented at the end of the first call.

cve-2022-37969_image_63_overwrite_process_token

There we see the order in which the values are stored.

We can see the address 0xFFFFFFFF with the value we have just found of the System Process Token.

cve-2022-37969_image_65_address_value_system_token

cve-2022-37969_image_66_ffffd1075e857117

The value of the Token address of my process is in the HeapSpray. From this, we’ll subtract 8. This value plus eight will be used as a target. Remember that we wrote on the address pointed by RAX+8.

cve-2022-37969_image_67_process_token_address_heapspray

cve-2022-37969_image_68_address_pointed_rax8

Here is the memory address starting on 0x5000000.

cve-2022-37969_image_69_rip_system_token_value

We also see that it uses the name of other container, since the previous one being used by the system process cannot be opened again or deleted.

cve-2022-37969_image_70_name_of_other_container

Then the bug is triggered for the second time in the same way as it was on the first try.

It comes again to CLFS!ClfsEarlierLsn().

cve-2022-37969_image_72_comes_again_clfs

Then it sets RDX to 0xFFFFFFFF.

cve-2022-37969_image_73_sets_rdx_to_0xfffffff

Then it comes to nt!SeSetAccessStateGenericMapping().

cve-2022-37969_image_74_nt_sesetaccessstategenericmapping

Read the address of the Token of the process (minus 8) where it is going to write.

cve-2022-37969_image_75_read_address_of_token

We can then read the SYSTEM TOKEN.

cve-2022-37969_image_76_read_system_token

It then writes in the address of the Token of the process (adding 8), which is the System Token.

This way, the process is with the System Token.

cve-2022-37969_image_77_process_with_system_token

Once the token is written, we can start a process to check the privileges. In this case, we’ll launch Notepad.exe.

Executing Process as System

cve-2022-37969_image_79_untitled_notepad

cve-2022-37969_image_80_exe_authority_system

Remember that this POC only works in Windows 11. In Windows 10 it will produce a BSOD, so you should make some modifications to work correctly, it is not covered in this blogpost.

Reversing the Patch:

Analyzing the Structures

We have taken the structures and most of the documentation on the CLFS file format from IONESCU's excellent work on CLFS Internals.

We can see that a check has been added in the function ClfsBaseFilePersisted::LoadContainerQ.

cve-2022-37969_image_81_analyzing_structures

The values that perform an addition, belongs to the _CLFS_BASE_RECORD_HEADER structure.

cve-2022-37969_image_82_clfs_base_record_header

Note that the Base Block starts at offset 0x800 of the file, and ends at offset 0x71FF, corresponding the first 0x70 bytes to the Log Block Header.

As a good practice, we can add the _CLF_LOG_BLOCK_HEADER structure on IDA:

struct _CLFS_LOG_BLOCK_HEADER

{

UCHAR MajorVersion;

UCHAR MinorVersion;

UCHAR Usn;

char ClientId;

USHORT TotalSectorCount;

USHORT ValidSectorCount;

ULONG Padding;

ULONG Checksum;

ULONG Flags;

CLFS_LSN CurrentLsn;

CLFS_LSN NextLsn;

ULONG RecordOffsets[16];

ULONG SignaturesOffset;

};

Then we have the Base Record Header (_CLFS_BASE_RECORD_HEADER) that starts at the offset 0x870 from the beginning of the file and is 0x1338 bytes long.

cve-2022-37969_image_84_base_record_holder

If you want to import it to IDA, before you must add the following types and missing structures:

typedef GUID CLFS_LOG_ID;
typedef UCHAR CLFS_LOG_STATE;

struct _CLFS_METADATA_RECORD_HEADER

{

ULONGLONG ullDumpCount;

};

Now is ready to be added:

typedef struct _CLFS_BASE_RECORD_HEADER

{

    CLFS_METADATA_RECORD_HEADER hdrBaseRecord;

    CLFS_LOG_ID cidLog;

    ULONGLONG rgClientSymTbl[0x0b];

    ULONGLONG rgContainerSymTbl[0x0b];

    ULONGLONG rgSecuritySymTbl[0x0b];

    ULONG cNextContainer;

    CLFS_CLIENT_ID cNextClient;

    ULONG cFreeContainers;

    ULONG cActiveContainers;

    ULONG cbFreeContainers;

    ULONG cbBusyContainers;

    ULONG rgClients[0x7c];

    ULONG rgContainers[0x400];

    ULONG cbSymbolZone;

    ULONG cbSector;

    USHORT bUnused;

    CLFS_LOG_STATE eLogState;

    UCHAR cUsn;

    UCHAR cClients;

} CLFS_BASE_RECORD_HEADER, *PCLFS_BASE_RECORD_HEADER;

cve-2022-37969_image_85_ulong_cbsymbol_zone

After including the structures, we notice that performs an addition between the cbSymbolZone and the address where the _CLFS_BASE_RECORD_HEADER ends. (start + 1338h)

cve-2022-37969_image_86_clfs_base_record_cbsymbolzone

Remember that cbSymbolZone was modified in the crafted log file from 0x000000F8 to 0x0001114B.

(offset 0x1b98 of the file)

0x800(offset of the start of the Base Block) + 0x70 (logBlockHeader) + 0x1328 (cbsymbolZone)

0x800+0x70+0x1328 = 0x1b98

Crafted cbsymbolZone on MyLog.blf file:

cve-2022-37969_image_87_cbsymbolzone_mylog_blf

cve-2022-37969_image_88_char_cb_symbol_zone_fseek_fwrite

As the patch is in the CClfsBaseFilePersisted::LoadContainerQ function, we have to take a look at the CClfsBaseFilePersisted object.

Setting a breakpoint in CLFS!CClfsBaseFilePersisted::LoadContainerQ and when CreateLogFile is called with the handle of the crafted file it’ll break.

cve-2022-37969_image_89_clfsbase_file_persisted_load_container_q

Call the CClfsBaseFile::GetBaseLogRecord function to get the address of the Base Log Record (_CLFS_BASE_RECORD_HEADER).

cve-2022-37969_image_90_base_log_record_header_call

RAX will point to the _CLFS_BASE_RECORD_HEADER address.

cve-2022-37969_image_91_rax_will_point_to_clfs

Note the _CLFS_BASE_RECORD_HEADER structure in memory and the cbsymbolZone field 0x1328 bytes forward.

cve-2022-37969_image_92_note_clfs_base_record_in_mem

cve-2022-37969_image_93_field_bytes_forward

r14 stores the structure corresponding to the “this”, which is CClfsBaseFilePersisted since it is the this of the function CClfsBaseFilePersisted::LoadContainerQ.

cve-2022-37969_image_94_r14_stores_the_structure

The CClfsBaseFilePersisted structure in memory:

cve-2022-37969_image_95_cclfs_base_file_persisted

So, let's create a structure with length 0x21c0 to complete its fields while we reverse it (it's an undocumented structure) we'll call it struct_CClfsBaseFilePersisted.

cve-2022-37969_image_96_create_a_structure

Inside the function CClfsBaseFile::GetBaseLogRecord() gets the pointer to _CLFS_BASE_RECORD_HEADER and we know that the "this" in that function is the structure: struct_CClfsBaseFilePersisted.

Read two fields (offset 0x28 and 0x30).

cve-2022-37969_image_98_offset_0x28_0x30

Field 0x28 is a word and has the value 6, so we change the type to word in the structure.

cve-2022-37969_image_99_field_0x28_is_a_word

cve-2022-37969_image_100_field_28_struct_cclfs_base_file

cve-2022-37969_image_101_public_cclfs_base_file_persisted

cve-2022-37969_image_102_rename_it_constant_6

For now, we rename it to constant 6 (const_6).

cve-2022-37969_image_103_metadata_blocks

According to the documentation, 6 would be the number of blocks CLFS_METADATA_BLOCK_COUNT. The field could refer to this value.

And that pointer is at offset 0x30.

cve-2022-37969_image_104_pointer_offset_0x30

Note that the size shown there includes the header with length 0x10.

cve-2022-37969_image_105_includes_the_header

When the ExAllocatePoolWithTag function is called, a few bytes are requested, but the header is not included, therefore, 0x90 bytes (0xa0 – 0x10) will be requested in the call.

Searching by text +30h], the instructions that write at offset 0x30 we found a long list, but filtering the list by the type of object CClfsBaseFilePersisted leaves us with few results and immediately find where that size is allocated, and the same tag. (Tip: Create and initialize function names, are always the first to look at).

cve-2022-37969_image_108_create_image_mov

Since we still don't know the name, we'll put it pool_0x90, which is another undocumented structure, and we'll create a structure of that size.

The pool_0x90 in memory has another pointer at its own offset 0x30.

This other pointer points to the base block in the file (base block starts at offset 0x800).

cve-2022-37969_image_113_base_block_starts_offset_0x800

Image taken from the Zscaler blogpost:

cve-2022-37969_image_114_zcaler_blogpost

The allocation is huge, because it contains the entire base block.

cve-2022-37969_image_115_huge_allocation

So, we will create a new structure of size 0x7a00 and call it BASE_BLOCK.

The first 70 bytes we already knew correspond to _CLFS_LOG_BLOCK_HEADER and the following 0x1338 to _CLFS_BASE_RECORD_HEADER.

So, adding the start of the Base Block with the offset to the next record (which is 0x70), we get the _CLFS_BASE_RECORD_HEADER.

cve-2022-37969_image_119_adding_start_base_block

The _CLFS_BASE_RECORD_HEADER on memory.

Looking at other methods of the same CClfsBaseFilePersisted object, in CClfsBaseFilePersisted::AddContainer you get with CClfsBaseFile::GetBaseLogRecord also the address of _CLFS_BASE_RECORD_HEADER.

cve-2022-37969_image_121_look_other_methods

Next, call CClfsBaseFile::OffsetToAddr using cbOffset, it gets the address of _CLFS_CONTAINER_CONTEXT, and stores cboffset in the rgbcontainers array which is at offset 0x328 of the _CLFS_BASE_RECORD_HEADER.

cve-2022-37969_image_122_stores_cboffset

CClfsBaseFile::OffsetToAddr function is used to find structures addresses from offset.

At this point, the container offset that will be stored at 0x328 is still 0, because we have not added a container yet.

cve-2022-37969_image_124_container_offset

The PoC calls CreateLogFile twice, the first time with the malformed file MyLog.blf and the second time with the normal MyLogxxx.blf file, so we must stop debugging twice in all the above places and take note in notepad of the addresses of the above structures for both files.

cve-2022-37969_image_125_gets_handle_my_log

Let us fast forward a bit to CLFS!CClfsLogFcbPhysical::AllocContainer by setting a breakpoint on it and running there.

When the AddLogContainer() is reached on the POC, we stop at the breakpoint.

cve-2022-37969_image_126_add_log_container_fast_forward

Let’s also set a breakpoint on the CClfsBaseFilePersisted::AddContainer+176 where we saw before that will find the offset and pointer to the _CLFS_CONTAINER_CONTEXT structure.

cve-2022-37969_image_127_also_set-breakpoint

cve-2022-37969_image_128_keep_starting_index

When the Debugger breaks, we can see that the offset is 0x1468.

cve-2022-37969_image_129_debugger_breaks

In RAX will return the address of the _CLFS_CONTAINER_CONTEXT structure.

cve-2022-37969_image_130_rax_return_the_address

The structure is still empty because it was not added the container yet.

Note that the SignatureOffset=0x50 value that we wrote at offset 0x868 to the malformed file, subtracting the 0x800 from the start of the base block, will be in the _CLFS_LOG_BLOCK_HEADER structure at offset 0x68.

cve-2022-37969_image_132_clfs_log_block_header

cve-2022-37969_image_133_char_signature_offset

When the PoC calls AddLogContainer() function using the malformed file, at offset 0x68 of _CLFS_LOG_BLOCK_HEADER, instead of the 0x50 value we wrote there, is currently a 0xFFFF0050 in memory.

At some point, that value was altered by the program, in order to see when it happened, in the next execution, we will set a memory breakpoint on write.

The offset is stored at r15 + 0x328 (r15 points to the _CLFS_BASE_RECORD_HEADER structure).

cve-2022-37969_image_135_ulong_rg_containers

RBX stores the offset 0x1468.

So, in the Base Block address + 0x70 + the offset 0x1468 that we found out, there will be the address of the CLFS_CONTAINER_CONTEXT container.

cve-2022-37969_image_138_base_block_0x70

In CLFS_CONTAINER_CONTEXT structure at offset 0x18 will be the pContainer pointer that will be stored there, we can set a breakpoint on write and see when it is written.

cve-2022-37969_image_140_breakpoint_on_write

This is the pointer that we must corrupt since in the function where the vulnerability is, it first reads the CLFS_CONTAINER_CONTEXT, then moves it to r15 and next reads the value of r15+18, which is this pointer that we have just set the Breakpoint on write.

It stores the pContainer at offset 0x1c0 of the struct_CClfsBaseFilePersisted structure.

cve-2022-37969_image_143_pcontainer_offset_rdi

After several times that it stops, we reach the moment where it gets corrupted. The top of the pointer address has been changed from FFs to zero.

cve-2022-37969_image_144_moment_of_corruption

This happens when the second AddLogContainer() of the malformed file is called, the pointer of the previous MyLogxxx is corrupted.

The problem occurs because the SignaturesOffset, which should be 0x50, is now 0xFFFF0050, so it allows writing out of bounds in the memset that follows.

Corrupting the “pContainer” Pointer:

The memset() function is going to corrupt the _CLFS_CONTAINER_CONTEXT structure that is below, this structure corresponds to the MyLogxxx file, since when were created, it located them 0x11000 bytes away from each other.

This way, it calculates exactly where to write to the next structure and zeroes out the top of the pointer, so it points to the user heap where the HeapSspray was created.

The base block structure of the malformed file is just 0x11000 before that of the MyLogxxx file.

Malformed:

MyLogxxx:

RCX is smaller than RDX since 0xFFFF0050 was added to, instead of 0x50 as it should be.

cve-2022-37969_image_150_rcx_smaller_than_rdx

And we got to the memset() function, to set the amount of 0xb0 bytes with Zeroes, with RCX pointing to the CLFS_CONTAINER_CONTEXT structure of the MyLogxxx file, specifically to the pContainer five high bytes.

cve-2022-37969_image_151_pcontainer_five_high_bytes

This pointer will be corrupted by overwriting the first bytes:

cve-2022-37969_image_152_corrupted_pointer

Remaining pointing to a memory address previously controlled by us through HeapSpray:

cve-2022-37969_image_153_remaining_pointing_to_memory

Then, the handle of the MyLogxxx file will be closed, and reaches the CClfsBaseFilePersisted::RemoveContainer, the vulnerability finally is triggered.

cve-2022-37969_image_155_handle_mylogxxx_closed

Revisiting the Patch

Now that we have more information, we notice that here it reads the Base_Block.LOG_BLOCK_HEADER.SignaturesOffset and the Base_Block. .LOG_BLOCK_HEADER.TotalSectorCount.

In the first part of the patch that SignaturesOffset should not be greater than 0x7a00, in ours it was originally 0x50, if it arrived with a value greater than 0x7a00 it would throw us out.

cve-2022-37969_image_156_revisiting_patch

Running the PoC in the patched machine, it compares 0x50 with 0x7a00 and since it is smaller it continues.

cve-2022-37969_image_157_running_poc_patched_machine

In the following block, the malformed cbSymbolZone is added to the value of the final address of _CLFS_BASE_RECORD_HEADER and this sum is stored in result_1.

Then, the address of the Base_Block is added with the SignatureOffset value, which in a normal file is 0x7980.

The maximum address of the base_block is 0x7a00, now the SymbolZone is allowed up to 0x80 before the limit.

It will store it in result_2, that is, that would be the maximum limit for the SymbolZone inside the base block, then it compares both results if the first is greater than the second, it means that it went out of bounds.

cve-2022-37969_image_161_compare_results

Obviously the first member will be bigger than the second and it will not continue, since the first sum of the cbSymbolZone + final address of the _CLFS_BASE_RECORD_HEADER exceeds the limit (which is the result_2) and leads in an “out of bounds.”

cve-2022-37969_image_162_exceeds_the_limit

Corrupting the SignatureOffset

The last thing we would have to figure out is where the SignatureOffset value of 0x50 becomes 0xFFFF0050.

So, let's start over, reboot and stop at CLFS!CClfsBaseFilePersisted::LoadContainerQ where the value has not yet been changed in memory and still is 0x50.

Set an access breakpoint at offset 0x68 in SignatureOffset.

cve-2022-37969_image_163_access_breakpoint

And after several stops, we detect the right moment when it modifies the value, in the ClfsEncodeBlockPrivate.

cve-2022-37969_image_164_detect_the_right_moment

This function is not patched, so it could be a behavior caused by the low value of 0x50 and the rest of the values being manipulated.

Among the crafted values, we can see the ccoffsetArray value whose name in the _CLFS_BASE_RECORD_HEADER structure is rgClients and represents the array of offsets that point to the Client Context Object.

The rgClients field is located at offset 0x138 (0x9a8-0x800-0x70) of the _CLFS_BASE_RECORD_HEADER structure.

In the PoC, this value is malformed to point a fake client context object, called FakeClientContext.

cve-2022-37969_image_167_value_is_malformed

cve-2022-37969_image_168_fake_client_context

This is the Client Context structure _CLFS_CLIENT_CONTEXT:

struct _CLFS_CLIENT_CONTEXT

{

CLFS_NODE_ID cidNode;

CLFS_CLIENT_ID cidClient;

USHORT fAttributes;

ULONG cbFlushThreshold;

ULONG cShadowSectors;

ULONGLONG cbUndoCommitment;

LARGE_INTEGER llCreateTime;

LARGE_INTEGER llAccessTime;

LARGE_INTEGER llWriteTime;

CLFS_LSN lsnOwnerPage;

CLFS_LSN lsnArchiveTail;

CLFS_LSN lsnBase;

CLFS_LSN lsnLast;

CLFS_LSN lsnRestart;

CLFS_LSN lsnPhysicalBase;

CLFS_LSN lsnUnused1;

CLFS_LSN lsnUnused2;

CLFS_LOG_STATE eState;

union

{

HANDLE hSecurityContext;

ULONGLONG ullAlignment;

};

};

The eState value is in offset 0x78 from the start of the structure, in the crafted file 0x23a0+0x78.

This value shows the status of the log.

typedef UCHAR CLFS_LOG_STATE, *PCLFS_LOG_STATE;
const CLFS_LOG_STATE CLFS_LOG_UNINITIALIZED    = 0x01;
const CLFS_LOG_STATE CLFS_LOG_INITIALIZED      = 0x02;
const CLFS_LOG_STATE CLFS_LOG_ACTIVE           = 0x04;
const CLFS_LOG_STATE CLFS_LOG_PENDING_DELETE   = 0x08;
const CLFS_LOG_STATE CLFS_LOG_PENDING_ARCHIVE  = 0x10;
const CLFS_LOG_STATE CLFS_LOG_SHUTDOWN         = 0x20;
const CLFS_LOG_STATE CLFS_LOG_MULTIPLEXED      = 0x40;
const CLFS_LOG_STATE CLFS_LOG_SECURE           = 0x80;

This value is set to CLFS_LOG_STATE CLFS_LOG_SHUTDOWN =0x20.

The other malformed value is fAttributes which corresponds to the set of FILE_ATTRIBUTE flags associated with the base log file (such as System and Hidden).

cve-2022-37969_image_171_other_malformed_value

Since the field starts a byte earlier at 0xa and spans two bytes, the value of fAttributes is 0x100.

cve-2022-37969_image_173_value_falattributes

cve-2022-37969_image_174_file_attribute_temporary

Finally, there is the blocknameoffset value that points to the offset 0x1bb8, I mean, by adding 0x78 and 0x800 points to the offset 0x2428 of the file.

cve-2022-37969_image_175_block_name_offset

Note that the offset to the Client Context is 0x1b30.

cve-2022-37969_image_177_offset_to_client_context

So, the Client Context is in offset 0x23a0.

And just 0x10 before, it is the value corresponding to blocknameoffset.

cve-2022-37969_image_180_block_name_offset_0x2390

Which would point to the string name. The last one is the blockattributeoffset which is 0xC before the Client Context at 0x2394.

cve-2022-37969_image_182_0xc_before_client_context

These last two values belong to a structure prior to the Client Context of 0x30 bytes long, called_CLFSHASHSYM.

typedef struct _CLFSHASHSYM
{
    CLFS_NODE_ID cidNode;
    ULONG ulHash;
    ULONG cbHash;
    ULONGLONG ulBelow;
    ULONGLONG ulAbove;
    LONG cbSymName;
    LONG cbOffset;
    BOOLEAN fDeleted;
} CLFSHASHSYM, *PCLFSHASHSYM;

cve-2022-37969_image_183_command_prompt_python

They are at 0x20 and 0x24 bytes from the beginning of the _CLFSHASHSYM structure, so in the _CLFSHASHSYM structure the value called blockNameOffset in the POC is the cbSymName field and the blockAttributteoffset is the cbOffset field.

cve-2022-37969_image_185_block_attribute_offset_is_cboffset

cve-2022-37969_image_186_blockname_blockattribute

Those are the malformed values, now we need to see how they affect to change our SignaturesOffset from 0x50 value to 0xFFFF0050.

Let’s take a look at the CClfsBaseFile::AcquireClientContext() function, which should return the client context.

cve-2022-37969_image_187_struct_clfs_client_context

It calls the CClfsBaseFile::GetSymbol with the fourth argument which will be _CLFS_CLIENT_CONTEXT ** where it will store the pointer to Client Context.

Inside the CClfsBaseFile::GetSymbol function we pass the malformed ccoffsetArray offset to CClfsBaseFile::OffsetToAddr and get the address of the client context, let’s set a breakpoint there so it’ll stop when calling the file created with CreatelogFile.

There it is stopped with the ccoffsetArray crafted argument.

The CClfsBaseFile::OffsetToAddr function returns the false Client Context.

And checks that the value of cbOffset is not zero since 0xC is found before the _CLFS_CLIENT_CONTEXT structure that is in RAX.

Then It compares the cbOffset with the ccoffsetArray (which is in RSI), they must be equal, otherwise we’ll get an error.

It also checks that cbSymName be equal to cbOffset+0x88, if not we’ll get an error too.

cve-2022-37969_image_196_jnz_short_error

And finally, It compares the cidClient byte with zero.

cve-2022-37969_image_197_compares_cidclient

If all those checks are successful, the client context will be saved.

cve-2022-37969_image_198_client_context_saved

The output of function r14 points to Client Context.

cve-2022-37969_image_199_output_of_function_r14

When exiting from CClfsLogFcbPhysical::Initialize we'll have the address of CLFS_CLIENT_CONTEXT.

cve-2022-37969_image_200_cclfs_log_fcb_physical_initialize

Now It reads the value of fAttributes (0x100).

This function belongs to the class CClfsLogFcbPhysical.

cve-2022-37969_image_202_cclfs_log_fcb_physical

Which was allocated here, and its size is 0x15d0 and its tag is “ClfC.”

Let’s create a structure to store what we are reversing, we’ll call it: struct_CClfsLogFcbPhysical.

cve-2022-37969_image_205_create_a_structure

Note that at 0x2b0 it saves the address of the CClfsBaseFilePersisted structure.

After saving many values in the structure, it goes to an important part, it tests the eState with 0x20.

cve-2022-37969_image_207_saving_many_values

cve-2022-37969_image_208_rbx_clfs_client_context

Since the crafted value was 0x20, the test will return 1.

cve-2022-37969_image_210_initialize_bba_rsi

We see that in the constructor in the vtable is

It will check if the file is multiplexed.

So, it goes by the desired path, reaching CClfsLogFcbPhysical::ResetLog.

cve-2022-37969_image_214_initialize_bdd_rsi

Several fields are initialized to zero except one that is initialized to 0xFFFFFFFF00000000.

cve-2022-37969_image_215_several_fields_initialized

Here retrieves the Client Context

it stores the value 0xFFFFFFFF00000000.

cve-2022-37969_image_217_stores_value_of_0xfffff00000

cve-2022-37969_image_219_00_00_00_00_ff_ff_ff

It writes 0xFFFFFFFF is offset 0x5c which is the high part of CLFS_LSN lsnRestart.ullOffset.

cve-2022-37969_image_221_clfs_lsn_lsnrestart

Now we execute the ClfsEncodeBlockPrivate() function, which is the responsible to overwrites the 0x50 with 0xFFFF0050 as we have seen before.

There it reads the value of SignatureOffset = 0x50 which is still as we put it in the malformed file and adds it to the start of CLFS_LOG_BLOCK_HEADER.

This is a loop that is writing 2 bytes, like the SignatureOffset instead of pointing to a correct value that in a normal file is a high value, for example 0x3f8 which makes it to write more forward, here it will write in the same CLFS_LOG_BLOCK_HEADER.

The idea is to change the write destination to try to corrupt the SignatureOffset value.

Normal File:

At this point, it will start to loop and write two bytes.

The counter must reach the value 0x3d to exit the loop.

RCX is increasing from 0x200, we are already in the third cycle, and its value is 0x600.

cve-2022-37969_image_227_increasing_from_0x200

In the 0xe iteration , RCX is 0x1a00.

That was where he had written the 0xFFFFFFFF000000.

cve-2022-37969_image_230_written_0xffffffffffff

It’s reading the last two bytes FFFF.

And it’ll copy then in R8.

cve-2022-37969_image_233_copy_then_in_r8

As we've seen, this value is critical as it allows you to bypass the check and write out of bounds to corrupt the pContainer pointer of the file that follows the memset() and write zeros at the top and leave it pointing to our controlled memory (HeapSpray).

In the CClfsBaseFilePersisted::AllocSymbol that the same sum that is going to get the destination of the memset which is cbSymbolZone + final address of CLFS_BASE_RECORD_HEADER compares it before against Base_block + 0xFFFF0050, so it has corrupted values on both sides of the equation.

CbSymbolZone= 0x1114B

It is the malformed value that added to the final address of CLFS_BASE_RECORD_HEADER will make it write out of bounds and the other member of the comparison that should be the address of the Base Block + SignatureOffset, remains SignatureOffset =0xFFFF0050 which allows this check to pass and write out of bounds in the memset() and zero the top of the pointer that will remain pointing to our HeapSpray.

cve-2022-37969_image_235_remain_pointing_heap_spray

Since RCX is smaller than RDX.

cve-2022-37969_image_236_rcx_smaller_rdx

As we have seen before. (Values may differ because they belong to a previous execution)

It will corrupt the pointer, setting the highest bytes to 0

cve-2022-37969_image_237_highest_byte_to_0

Leaving it pointing to a memory area that we control through HeapSpray

cve-2022-37969_image_238_controlled_memory_arae

cve-2022-37969_image_239_controlled_through_heap_spray

So, when the vulnerability is triggered, we get to CClfsBaseFilePersisted::RemoveContainer

There will be the already corrupt pointer and it can be exploited as we saw previously.

cve-2022-37969_image_241_already_corrupt_pointer

At this point we have bug exploited, it leads to control the functions that allows to read the SYSTEM token and write in our own process to achieve the local privilege escalation. You can find the functional PoC at at Fortra’s GitHub.

We hope you find it useful, if you have any doubt can contact us at [email protected] and [email protected].

Meet the Author

Ricardo Narvaja

Cybersecurity Specialist Developer

View Profile