CVE-2024-26160 - Exposing Windows Cloud Files Mini Filter Driver Information Disclosure

When it comes to Windows security, system drivers often fly under the radar. But sometimes, these low-level components contain vulnerabilities with big implications. CVE-2024-26160 is one such flaw—a recently patched information disclosure vulnerability in the Windows Cloud Files Mini Filter Driver (cldflt.sys). In this post, we’ll break down what this CVE means, how it works, and give you a simple code demonstration to show how attackers could exploit it.

What is CVE-2024-26160?

CVE-2024-26160 is an information disclosure vulnerability in the Cloud Files Mini Filter Driver used by Windows. This driver lets Windows and applications seamlessly work with files stored in the cloud (like OneDrive or Azure Files), making files available on-demand. The problem? A flaw in the way it handles user requests could allow a local attacker to access sensitive information they’re not supposed to.

Original Reference:
- Microsoft Security Update Guide (CVE-2024-26160)
- NIST CVE Details

How Does the Flaw Happen?

In short, the Cloud Files Mini Filter Driver (cldflt.sys) doesn’t always properly clear memory or check user permissions when handling certain file requests. An attacker with local access could leverage this to read kernel memory contents or private data from kernel space, which may include password hashes, keys, or other sensitive OS memory areas.

Prerequisites

- Local Access: You have to already be logged in on the machine, either as a standard user or with limited privilege.
- Affected Systems: Any unpatched Windows device using the vulnerable version of the Cloud Files Mini Filter Driver (details in Microsoft’s advisory).

Attack Scenario

1. Create/Open a Cloud File: Attacker creates or opens a placeholder file managed by the driver.
2. Send Crafted Requests: The attacker sends specially-shaped IRPs (I/O Request Packets) or sets up operations to provoke cldflt.sys into returning data.
3. Partial Data Leakage: Instead of correctly zeroing memory or checking bounds, the driver leaks uninitialized kernel data to user mode.

Example Code Snippet

Let's see a simple C code that demonstrates how a malicious user might try to trigger the leak by reading from a cloud-managed file (requires running on an affected system and may need administrative privileges, depending on context):

#include <windows.h>
#include <stdio.h>

int main() {
    HANDLE hFile;
    DWORD bytesRead;
    char buffer[4096] = {};

    // Path to a cloud file (must be set up beforehand, e.g., with OneDrive "on demand" file)
    LPCWSTR filePath = L"C:\\Users\\User\\OneDrive\\leakyfile.txt";

    hFile = CreateFileW(
        filePath,
        GENERIC_READ,
        FILE_SHARE_READ,
        NULL,
        OPEN_EXISTING,
        FILE_ATTRIBUTE_NORMAL,
        NULL
    );

    if (hFile == INVALID_HANDLE_VALUE) {
        printf("CreateFile failed: %lu\n", GetLastError());
        return 1;
    }

    if (ReadFile(hFile, buffer, sizeof(buffer), &bytesRead, NULL)) {
        printf("Read %lu bytes. Data (first 32 bytes):\n", bytesRead);
        for (int i = ; i < 32 && i < bytesRead; i++)
            printf("%02x ", (unsigned char)buffer[i]);
        printf("\n");
    } else {
        printf("ReadFile failed: %lu\n", GetLastError());
    }

    CloseHandle(hFile);
    return ;
}

This code tries to simply read from a cloud provider file. If the vulnerable driver is involved and proper patching has not been done, extra kernel memory data might be present in the returned buffer (beyond expected file content). A real attack might involve more complex operations, triggering the load on specific data types or malformed placeholders.

Why This Matters

Information disclosure vulnerabilities can be the *stepping stones* to rootkits, privilege escalation, or other attacks. Even if an attacker can "only" read kernel memory, they can use that information to bypass security checks or recover secret material.

Affected products: Most supported versions of Windows 10, Windows 11, and Windows Server where Cloud Files Mini Filter Driver is enabled or in use.

Mitigation

Patch ASAP! Microsoft’s March 2024 patch cycle resolves this issue.
- Go to Microsoft Windows Update and make sure you're up-to-date.
- Check CVE-2024-26160 for affected versions and technical details.

Temporary Options: If patching is not immediately possible, consider

- Limiting local (physical/remote desktop) access to trusted users.

Learn More

- Microsoft Security Advisory CVE-2024-26160
- NVD’s Writeup: CVE-2024-26160
- More about Mini Filters

Final Words

Vulnerabilities like CVE-2024-26160 highlight why even the most "invisible" parts of the OS, like system drivers, require constant vigilance. Patch early, stay safe—and keep your eyes open for those update notifications!

Have you tested your system for this CVE? Drop your experiences and any new info in the comments!

Timeline

Published on: 03/12/2024 17:15:55 UTC
Last modified on: 03/12/2024 17:46:17 UTC