# CVE-2022-24521: Windows Common Log File System (CLFS) Logical-Error Vulnerability
5
2
Sergey Kornienko (@b1thvn_) of PixiePoint Security
6
3
skipped 15 lines
22
19
23
20
**Bug-Introducing CL:** N/A
24
21
25
-
**Reporter(s):** Sergey Kornienko (@b1thvn_) of PixiePoint Security
22
+
**Reporter(s):** National Security Agency, Adam Podlosky and Amir Bazine of Crowdstrike
26
23
27
24
## The Code
28
25
skipped 211 lines
240
237
241
238
**Thoughts on how this vuln might have been found _(fuzzing, code auditing, variant analysis, etc.)_:**
242
239
243
-
Code auditing
240
+
We think that this vulnerability might have been found from code auditing/reverse engineering because (1) the base log record has to be crafted for the container context to remain uncorrupted from the encode/decode operations (2) the `CClfsBaseFile::AcquireContainerContext` function has to purposely fail. In all fairness, because (2) is easy to achieve, this might in fact have been found from fuzzing or other means.
244
241
245
242
**(Historical/present/future) context of bug:**
246
243
skipped 5 lines
252
249
253
250
**Exploit strategy (or strategies):**
254
251
255
-
Similar procedure to overwrite process token with pipe objects as outlined in the
252
+
As we do not have a sample to analyse, we have no idea how the ITW exploit works. However we did managed to exploit this vulnerability with a similar procedure to overwrite process token with pipe objects as outlined in the
256
253
[SSTIC2020: Scoop the Windows 10 pool!](https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pool_overflow_exploitation_since_windows_10_19h1/SSTIC2020-Article-pool_overflow_exploitation_since_windows_10_19h1-bayet_fariello.pdf) paper.
257
254
258
255
**Exploit flow:**
skipped 39 lines
298
295
299
296
- More information about the affected versions can be found on the [Microsoft Advisory](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521) web site.
300
297
- More details about the exploitation can be found on the [CVE-2022-24521: Analysing and Exploiting the Windows Common Log File System (CLFS) Logical-Error Vulnerability](https://www.pixiepointsecurity.com/blog/nday-cve-2022-24521.html) blog post.