Windows Kernel
Analysing and Exploiting the Windows Common Log File System (CLFS) Logic-Error Vulnerability
In the security updates of April 2022, Microsoft patched two vulnerabilities (CVE-2022-24481 and CVE-2022-24521) in the CLFS.sys driver. The CLFS kernel component first gain popularity as an attack vector to escape browser sandboxes in 2016. Since then, although this feature is now disabled in popular sandboxes, it is still being frequently abused to escalate privileges locally in Windows.
In this blog post, we analyse the root-cause for one of the vulnerabilties and also discuss how it could be trivially and incredibly reliable to be exploited.
Exploiting the CNG.sys IOCTL 0x390400 Pool Overflow Vulnerability
CVE-2020-17087 is a pool overflow vulnerability in Windows CNG.sys driver that was discovered to be exploited in the wild 1. Although there have been root-cause analyses of the vulnerability, its exploitation technique is still relatively unknown. The most notable information was the disclosure by Google Project Zero (GP0) that the ITW sample “uses the buffer overflow to establish an arbitrary read / write primitive in the kernel space with the help of Named Pipe objects” 2.
In this blog post, we describe how this vulnerability could be exploited based on the BlockSize attack method of the Windows 10 Segment Heap 3.
Event Tracing for Windows (ETW) `TimerCallbackContext` Object Use-After-Free Vulnerability
The Event Tracing for Windows (ETW) mechanism allows the logging of kernel or application-defined events for debugging purposes. Developers are able to start and stop event tracing sessions, instrument an application to provide trace events, and consume trace events by calling the ETW set of user-mode Windows APIs. Eventually these will lead to corresponding syscall requests to the kernel (ntoskrnl.exe) to perform the functionalities.
In the ETW request to update periodic capture state, under specific conditions, there exist an use-after-free vulnerability whereby an atacker is able to controllably allocate a 0x30-bytes buffer, free it and reuse this buffer subsequently to execute arbitrary code.