The Windows Cloud Files Mini Filter module (clfs.sys) present in Microsoft Windows is vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition, which can result in arbitrary file write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Start RasMan service Create sync root directory Create junction directory Create target junction and symlink Register sync root Create threads to exploit race condition and detect exploitation Trigger race condition Write the agent and execute it
CVE Link
Exploit Platform
Exploit Type
Product Name