This module exploits an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver (cldflt.sys) to achieve arbitrary code execution with SYSTEM privileges. The vulnerability resides in the HsmOsBlockPlaceholderAccess routine and abuses the Cloud Files abort hydration path to create attacker-controlled registry keys in the .DEFAULT user hive without proper access checks. MiniPlasma is the same issue previously tracked as CVE-2020-17103, which was reported by Google Project Zero and later claimed to be patched, but it remains exploitable on current Windows builds. The steps performed by the exploit are: Creates a controlled Cloud Files synchronization root and uses the abort hydration path to trigger the race condition. Redirects privileged registry key creation into the .DEFAULT user hive. Abuses the writable .DEFAULT Volatile Environment registry key to control the windir environment used by a SYSTEM process. Triggers the elevated process to launch a CORE Impact agent with SYSTEM privileges in the target user's interactive session.
Exploit Platform
Exploit Type
Product Name