Summary: A critical vulnerability (CVE-2024-30085) in the Windows Cloud Files Mini Filter Driver allows local attackers to escalate privileges to SYSTEM level, posing a significant security risk. The flaw stems from improper validation of user-supplied data, enabling potential exploitation.
Threat Actor: Local Attackers | Local Attackers
Victim: Windows 11 Users | Windows 11 Users
Key Point :
- Vulnerability rated with a CVSS score of 7.8, indicating a high severity level.
- Exploitation allows attackers to execute code with SYSTEM-level permissions, gaining full control of the system.
- Key issues include length check bypass, flawed reparse point validation, and heap-based buffer overflow.
- Demonstrated proof-of-concept during the TyphoonPWN 2024 competition by researcher Alex Birnberg.
- Microsoft has released a patch in the June 2024 Patch Tuesday updates to address the vulnerability.
Security researcher Alex Birnberg with SSD Secure Disclosure published the technical details and a proof-of-concept (PoC) exploit code for CVE-2024-30085 – a Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability. This flaw, rated with a CVSS score of 7.8, allows local attackers to escalate privileges to the SYSTEM level, posing a significant security risk.
The root cause lies within the Cloud Files Mini Filter Driver (cldflt), specifically in the handling of reparse point bitmaps in the HsmIBitmapNORMALOpen function. The flaw arises from improper validation of user-supplied data lengths before copying them into a fixed-length heap-based buffer. If exploited, an attacker can escalate privileges to execute code with SYSTEM-level permissions.
With SYSTEM-level execution, attackers can effectively take full control of a vulnerable system. This includes installing malicious software, modifying sensitive system files, and accessing data restricted to the highest privilege levels.
The researcher explains, “The issue results from the improper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer.” This allows attackers to bypass security checks and execute arbitrary code.
The vulnerability stems from several critical flaws in the HsmIBitmapNORMALOpen function:
- Length Check Bypass: The code improperly validates the length of reparse point bitmaps. If a variable is set to false, the length check is skipped entirely.
- Flawed Reparse Point Validation: By manipulating directory paths and reparse points, attackers can bypass the sync root validation process, which is intended to restrict unauthorized reparse point creation.
- Heap-Based Buffer Overflow: Once the length check is bypassed, oversized data can be copied into a fixed-length buffer, leading to memory corruption and privilege escalation.
The CVE-2024-30085 vulnerability was successfully exploited during the TyphoonPWN 2024 competition, where independent security researcher Alex Birnberg demonstrated a working proof-of-concept (PoC).
The vulnerability impacts Windows 11 23H2 installations. Microsoft has addressed the issue with a patch included in the June 2024 Patch Tuesday updates, and users are strongly encouraged to apply the fix immediately.