Endpoint Security, Governance and Risk Management, Patch Management
Zscaler researchers probe base filesystem log file to expose flaw
Prajeet Nair (@prajeetspeaks) •
October 14, 2022
The function of a once obscure subsystem of the Windows operating system called the Common Log File System is to record the transaction history of databases and mail systems as an aid to functions, including the recovery support. The record is called the base log file.
Probe deep enough into the base log file and you might come out the other side with system-level access. The flaw, identified as CVE-2022-37969, is no secret: Microsoft patched it in the September monthly security vulnerability dump (see: Microsoft Fixes Actively Exploited Day Zero, 63 Other Bugs).
But before Microsoft even knew about it, someone else did too, since the patch came with a warning that the vulnerability was being actively exploited in the wild. Its exploitation required that an attacker had already gained access to an endpoint. “Bugs of this nature are often wrapped up in some form of social engineering attack, like convincing someone to open a file or click on a link,” said Dustin Childs, security analyst at Zero Day Initiative. , at the time.
Today, researchers from Zscaler’s ThreatLabz research team claim to have identified the root cause of CVE-2022-37969.
In a nutshell, before the Common Log File System creates a log file consisting of the base log file, which consists of metadata blocks and containers to store the actual data, each base log file starts with a header. In the header is the cbSymbolZone field. The field is normally commonplace. In this context, it’s important because when set to an invalid value, it can trigger an out-of-bounds write.
To identify the root cause of the vulnerability, the researchers developed a proof-of-concept triggering an operating system crash.
Exploiting cbSymbolZone to deliberately trigger Microsoft’s dreaded blue screen of death – instead of, say, simply letting Windows run until it triggers one itself – forced Zscaler researchers to create a base log file with specific bytes in specific metadata fields of the base log file.
Essentially thanks to a chain reaction created when the attackers invoked the modified base log file, the researchers triggered the system crash.
The September patch of a Common Log File System flaw was the first time Redmond discovered hackers were using it for nefarious purposes. In an April 2022 blog post, cybersecurity firm PixiePoint Security said the system first gained popularity as an attack vector in 2016, particularly as a method to evade sandboxes. of the browser.