CVE-2024-49138 Windows CLFS heap-based buffer overflow analysis

varwar · 13.02.2025

CVE-2024-49138 is a Windows vulnerability detected by CrowdStrike as exploited in the wild. Microsoft patched the vulnerability on December 10th, 2024 with KB5048685 (for Windows 11 23H2/22H2).

The analysis of the patch reveals that Microsoft actually patched two distinct vulnerabilities in the following functions defined in clfs.sys:

CClfsBaseFilePersisted::LoadContainerQ()

CClfsBaseFilePersisted::WriteMetadataBlock()

1. https://security.humanativaspa.it/c...s-heap-based-buffer-overflow-analysis-part-1/
2. https://security.humanativaspa.it/c...s-heap-based-buffer-overflow-analysis-part-2/

Исходники: https://github.com/MrAle98/CVE-2024-49138-POC
Обсуждение: https://xssforum7mmh3n56inuf2h73hvhnzobi7h2ytb3gvklrfqm7ut3xdnyd.onion/threads/130958/

shrekushka · 19.02.2025

C++:

DWORD64 value_to_write = 0x0014000000000f00;

*((PDWORD64)((PCHAR)arg_DBGKPTRIAGEDUMPRESTORESTATE + 0x10)) = 0x0014000000000f00;

then at the end:

C++:

PreviousMode = 0x1;
NtWriteVirtualMemory((HANDLE)-1, PreviousModeAddr, &PreviousMode, sizeof(PreviousMode), NULL);

Typical exploit shenanigans.

PS. apologize, please move it to the discussion if that's the place to be.

varwar · 19.02.2025

shrekushka сказал(а):
C++:
DWORD64 value_to_write = 0x0014000000000f00;

*((PDWORD64)((PCHAR)arg_DBGKPTRIAGEDUMPRESTORESTATE + 0x10)) = 0x0014000000000f00;
then at the end:
C++:
PreviousMode = 0x1;
NtWriteVirtualMemory((HANDLE)-1, PreviousModeAddr, &PreviousMode, sizeof(PreviousMode), NULL);
Typical exploit shenanigans.

PS. apologize, please move it to the discussion if that's the place to be.

Lol. PoCDevs are shitcoders that's the fact (myself too).

CVE-2024-49138 Windows CLFS heap-based buffer overflow analysis

varwar

El Diff

shrekushka

(L1) cache

varwar

El Diff