crash.software
Projects
Pull Requests
Issues
Builds
0days-in-the-wild
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY 0days-in-the-wild Commits a75e7bc3
🤬
  • ■ ■ ■ ■ ■ ■
    0day-RCAs/2022/CVE-2022-24521.md
    1  -# 0-day Root Cause Analysis Template
    2  -
    3  -
    4 1  # CVE-2022-24521: Windows Common Log File System (CLFS) Logical-Error Vulnerability
    5 2  Sergey Kornienko (@b1thvn_) of PixiePoint Security
    6 3  
    skipped 15 lines
    22 19  
    23 20  **Bug-Introducing CL:** N/A
    24 21  
    25  -**Reporter(s):** Sergey Kornienko (@b1thvn_) of PixiePoint Security
     22 +**Reporter(s):** National Security Agency, Adam Podlosky and Amir Bazine of Crowdstrike
    26 23  
    27 24  ## The Code
    28 25  
    skipped 211 lines
    240 237  
    241 238  **Thoughts on how this vuln might have been found _(fuzzing, code auditing, variant analysis, etc.)_:**
    242 239  
    243  -Code auditing
     240 +We think that this vulnerability might have been found from code auditing/reverse engineering because (1) the base log record has to be crafted for the container context to remain uncorrupted from the encode/decode operations (2) the `CClfsBaseFile::AcquireContainerContext` function has to purposely fail. In all fairness, because (2) is easy to achieve, this might in fact have been found from fuzzing or other means.
    244 241  
    245 242  **(Historical/present/future) context of bug:**
    246 243  
    skipped 5 lines
    252 249  
    253 250  **Exploit strategy (or strategies):**
    254 251  
    255  -Similar procedure to overwrite process token with pipe objects as outlined in the
     252 +As we do not have a sample to analyse, we have no idea how the ITW exploit works. However we did managed to exploit this vulnerability with a similar procedure to overwrite process token with pipe objects as outlined in the
    256 253  [SSTIC2020: Scoop the Windows 10 pool!](https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pool_overflow_exploitation_since_windows_10_19h1/SSTIC2020-Article-pool_overflow_exploitation_since_windows_10_19h1-bayet_fariello.pdf) paper.
    257 254  
    258 255  **Exploit flow:**
    skipped 39 lines
    298 295  
    299 296  - More information about the affected versions can be found on the [Microsoft Advisory](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521) web site.
    300 297  - More details about the exploitation can be found on the [CVE-2022-24521: Analysing and Exploiting the Windows Common Log File System (CLFS) Logical-Error Vulnerability](https://www.pixiepointsecurity.com/blog/nday-cve-2022-24521.html) blog post.
     298 + 
Please wait...
Page is in error, reload to recover