New Windows Privilege Escalation Zero-Day: MiniPlasma
A cybersecurity researcher has unveiled a proof-of-concept exploit named “MiniPlasma,” which enables attackers to obtain SYSTEM privileges on fully updated Windows systems. This vulnerability has been categorized as a zero-day due to its impact on unpatched systems.
Disclosure by Chaotic Eclipse
The exploit was made public by a researcher identified as Chaotic Eclipse (also known as Nightmare Eclipse). They posted both the source code and a compiled executable on GitHub, asserting that Microsoft did not sufficiently address a previously reported vulnerability from 2020.
Details of the Vulnerability
The flaw affects the ‘cldflt.sys’ Cloud Filter driver and specifically the ‘HsmOsBlockPlaceholderAccess’ routine. This issue was initially reported to Microsoft by James Forshaw from Google Project Zero in September 2020 and assigned the CVE-2020-17103 identifier. Microsoft claimed to have fixed the issue in December 2020.
Investigation Results
Chaotic Eclipse noted, “Upon investigation, the same issue reported to Microsoft by Google Project Zero is still unpatched.” They expressed uncertainty about whether Microsoft failed to patch the flaw or if the patch was quietly retracted. The original proof-of-concept from Google continues to work without modifications.
Testing and Confirmation
BleepingComputer tested the exploit on a fully updated Windows 11 Pro system and found that it successfully opened a command prompt with SYSTEM privileges using a standard user account. Will Dormann, a principal vulnerability analyst at Tharros, also verified the exploit on the latest public version of Windows 11, although it did not work on the latest Windows 11 Insider Preview Canary build.
How the Exploit Works
The exploit manipulates the way the Windows Cloud Filter driver handles registry key creation via an undocumented CfAbortHydration API. Forshaw’s original findings indicated that the flaw could permit the creation of arbitrary registry keys in the .DEFAULT user hive without appropriate access checks, facilitating privilege escalation.
Context of the Researcher’s Actions
MiniPlasma is part of a series of zero-day disclosures made by the same researcher in recent weeks. Previous disclosures included BlueHammer, RedSun, and UnDefend, all of which were reported as successfully exploited after being released. Chaotic Eclipse has articulated their dissatisfaction with Microsoft’s vulnerability management process, expressing that their experiences resulted in them publicly disclosing these vulnerabilities as a form of protest.
