A newly published proof-of-concept(PoC) exploit has renewed attention on a Windows vulnerability that researchers say may not have been fully resolved despite an earlier security fix from Microsoft. The exploit, released in the public repository as "MiniPlasma," demonstrates a local privilege escalation (LPE) issue involving the Windows Cloud Files Mini Filter Driver, cldflt.sys. According to the repository’s maintainer, Nightmare-Eclipse, who recently also disclosed details on "GreenPlasma," the MiniPlasma flaw appears closely related to Google Project Zero issue 42451192, tracked under ID CVE-2020-17103.
For anyone wondering, the Windows Cloud Files Mini Filter Driver (cldflt.sys) is a kernel-level file system minifilter that supports cloud-sync features such as OneDrive’s Files On-Demand. File system minifilters attach to Windows’ file I/O stack and help to monitor, filter, or modify file operations before they reach storage. Microsoft’s Cloud Files API lets sync providers create placeholder files that appear locally while content stays in the cloud until accessed. Essentially, cldflt.sys helps manage these placeholders, synchronization states, and cloud-backed file access transparently within Windows Explorer.
In the project documentation, the dev states that the vulnerability was originally reported to Microsoft by Google Project Zero roughly six years ago (as is evident from the CVE ID) and was believed to have been patched at the time (seemingly addressed on Windows 10 with the KB4592438 update). However after revisiting the earlier research the author noticed that the same underlying issue may still exist in current Windows systems, even the latest patched ones.
This means that the newest Windows 11 KB5089549 Patch Tuesday update, released last week, can also fall prey to this. Nightmare-Eclipse notes that the original PoC from Google continued to function “without any changes,” which kind of raises the question about whether the original mitigation was incomplete or later reversed, since Google marks the issue's status as "fixed".
The exploit specifically targets the HsmOsBlockPlaceholderAccess routine within cldflt.sys and plants arbitrary registry keys in the .DEFAULT users hive, which essentially leads to the LPE. The author says the code was adapted to spawn a SYSTEM-level shell effectively demonstrating full privilege escalation from a lower-privileged account. The exploit is described as race-condition dependent which means its reliability can vary depending on system timing and configuration.
Security researcher Will Dormann tested the PoC and confirmed that it successfully led to system privilege escalation, though interestingly, he also added that the exploit did not work on the "latest Insider Preview Canary Windows 11." Thus perhaps Microsoft may finally be fixing it (again?) after six years; still it will be some time before we see this in a Patch Tuesday.
2 Comments
Load the comments and join the conversation!
Read the comments, ask the editors questions, show respect and join the conversation.