This is part five of our study about the Common Log File System (CLFS) and five vulnerabilities in this Windows OS component that have been used in ransomware attacks throughout the year. Please read the previous parts first if you haven't already. You can skip to the other parts using this table of contents or using the link at the end of this part. Part 1 – Windows CLFS and five exploits of ransomware operators Part 2 – Windows CLFS and five exploits of ransomware operators (Exploit #1 – CVE-2022-24521) Part 3 – Windows CLFS and five exploits of ransomware operators (Exploit #2 – September 2022) Part 4 – Windows CLFS and five exploits of ransomware operators (Exploit #3 – October 2022) Part 5 – Windows CLFS and five exploits of ransomware operators (Exploit #4 – CVE-2023-23376) Part 6 – Windows CLFS and five exploits of ransomware operators (Exploit #5 – CVE-2023-28252) Exploit #4 – CVE-2023-23376 The October changes complicated the exploitation of the GENERAL block, and the author of the previously discussed exploits switched to exploiting the CONTROL block. CVE-2023-23376 was discovered as a zero-day in the wild by the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC). It was fixed in February 2023. To discuss this vulnerability, we need to take a closer look at the CLFS_CONTROL_RECORD structure. As mentioned in part one of our study that discussed CLFS internals, it is used to hold an array of CLFS_METADATA_BLOCK…Read More