MiniPlasma - Windows Cloud Files Mini Filter Driver LPE (CVE-2020-17103)
by Nightmare-Eclipse, Elliot · 2026-05-15
- Severity
- High
- CVE
- CVE-2020-17103
- Category
- binary
- Affected product
- Windows Cloud Files Mini Filter Driver (cldflt.sys) / cldapi.dll
- Affected versions
- All Windows versions (patch reportedly absent or silently reverted)
- Disclosed
- 2026-05-15
- Patch status
- unpatched
Tags
References
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-05-15 |
| Last Updated | 2026-05-16 |
| Author / Researcher | Nightmare-Eclipse, Elliot |
| CVE / Advisory | CVE-2020-17103 |
| Category | binary |
| Severity | High |
| CVSS Score | 7.8 (CVSSv3) |
| Status | Weaponized |
| Tags | LPE, Windows, cldflt.sys, Cloud Files API, registry-symlink, race-condition, WER-hijack, SYSTEM-shell, local-user |
| Related | N/A |
Affected Target
| Field | Value |
|---|---|
| Software / System | Windows Cloud Files Mini Filter Driver (cldflt.sys) / cldapi.dll |
| Versions Affected | All Windows versions (patch reportedly absent or silently reverted) |
| Language / Platform | C# / .NET / Windows |
| Authentication Required | Yes (local code execution as non-admin user) |
| Network Access Required | Local only |
Summary
MiniPlasma is a fully weaponized Windows LPE that exploits a race condition in cldflrt!HsmOsBlockPlaceholderAccess inside cldflt.sys — the same vulnerability originally discovered by James Forshaw (Google Project Zero) and reported as CVE-2020-17103 in 2020. The author found the exact same vulnerable routine is still present and exploitable, either never patched or with the patch silently rolled back.
The exploit chains four stages to deliver a SYSTEM shell in the current user session: race CfAbortOperation to gain an arbitrary registry write primitive → plant a registry symlink redirecting CloudFiles\BlockedApps → overwrite windir in Volatile Environment → hijack the Windows Error Reporting scheduled task (QueueReporting) to execute as SYSTEM via a fake wermgr.exe and named-pipe token relay.
Vulnerability Details
Root Cause
cldflrt!HsmOsBlockPlaceholderAccess in the Cloud Files Mini Filter Driver contains a race condition exploitable via CfAbortOperation with the Block flag. By racing thread impersonation token swaps (switching between anonymous and normal tokens), an unprivileged caller can force the driver to perform a privileged registry write on behalf of the caller — granting an arbitrary-registry-key-write primitive from a low-privilege user process.
Attack Chain (4 Stages)
| Stage | Role | Technique |
|---|---|---|
| 0 — Orchestrator | Spawns and sequences Stages 1–3 | Child process management |
| 1 — Race trigger | Wins the CfAbortOperation race to obtain privileged registry write | Token race: anonymous ↔ normal on background thread; watches for registry key sentinel |
| 2 — Symlink plant | Uses the write primitive to delete BlockedApps contents and plant a registry symlink: BlockedApps → Volatile Environment | Registry symbolic link attack |
| 3 — SYSTEM shell delivery | Overwrites windir in Volatile Environment → drops fake System32\wermgr.exe → triggers QueueReporting task (SYSTEM context) → named-pipe token relay → conhost.exe spawned as SYSTEM in user session | Scheduled task abuse + token duplication via named pipe (MiniPlasmaWERPipe) |
Impact
Full local privilege escalation to SYSTEM. The exploit reliably spawns an interactive SYSTEM shell in the attacker’s session.
Environment / Lab Setup
OS: Windows (all versions — patch reportedly absent or reverted)
Target: Host with Cloud Files components (cldapi.dll / cldflt.sys) present
Attacker: Local non-admin user with execution rights
Tools: Visual Studio 2019/2022, .NET, NuGet (NtApiDotNet 1.1.33, TaskScheduler 2.12.2)
Setup Steps
| |
Proof of Concept
Step-by-Step Reproduction
Build — restore NuGet dependencies and compile the solution.
msbuild PoC_AbortHydration_ArbitraryRegKey_EoP.sln /p:Configuration=ReleaseExecute — run as a non-admin local user.
PoC_AbortHydration_ArbitraryRegKey_EoP.exeStage progression — the orchestrator sequences Stages 1–3 automatically. On success a SYSTEM shell opens in the user’s session.
Exploit Code
See
Program.csin this folder for the full 4-stage implementation.
| |
Expected Output
[*] Stage 1: racing CfAbortOperation...
[+] Race won — arbitrary registry write obtained
[*] Stage 2: planting registry symlink BlockedApps -> Volatile Environment
[+] Symlink planted
[*] Stage 3: overwriting windir, triggering QueueReporting task...
[+] SYSTEM process connected on MiniPlasmaWERPipe
[+] Spawning SYSTEM shell — enjoy
Screenshots / Evidence
screenshots/— add authorized lab evidence here
Detection & Indicators of Compromise
SIEM correlation:
low-priv process
-> repeated cldapi abort calls + token swap
-> registry ACL change on CloudFiles\BlockedApps
-> symlink creation (BlockedApps -> Volatile Environment)
-> windir overwrite in HKU\.DEFAULT\Volatile Environment
-> wermgr.exe execution from non-system path as SYSTEM
Remediation
| Action | Detail |
|---|---|
| Patch | Monitor Microsoft advisories for a re-issue of the CVE-2020-17103 fix targeting cldflt.sys |
| Workaround | Disable Windows Cloud Files / OneDrive sync if not required; restrict scheduled task execution (QueueReporting) via AppLocker or WDAC |
| Config Hardening | Enforce application allowlisting, registry auditing on HKU\.DEFAULT\Software\Policies\Microsoft\CloudFiles, and monitor windir value changes in Volatile Environment |
References
- CVE-2020-17103 — NVD
- Google Project Zero — original issue report
- Source Repository — Nightmare-Eclipse/MiniPlasma
Notes
Auto-ingested from https://github.com/Nightmare-Eclipse/MiniPlasma on 2026-05-15.
Updated 2026-05-16: researcher overhauled the PoC from a registry-key manipulation demo to a full 4-stage SYSTEM shell exploit. The src/ directory was replaced with the finalized PoC_AbortHydration_ArbitraryRegKey_EoP Visual Studio project. Root cause precisely identified as cldflrt!HsmOsBlockPlaceholderAccess race condition — identical to the 2020 Project Zero finding, reportedly still unpatched. Second contributor: Elliot (uploaded final PoC files). Repository reached 330 stars and 79 forks within 3 days.