The Cloud Filter driver, cldflt.sys, on Windows 10 v1803 and later, prior to the December
2020 updates, did not set the IO_FORCE_ACCESS_CHECK or OBJ_FORCE_ACCESS_CHECK flags when
calling FltCreateFileEx() and FltCreateFileEx2() within its HsmpOpCreatePlaceholders()
function with attacker controlled input. This meant that files were created with
KernelMode permissions, thereby bypassing any security checks that would otherwise
prevent a normal user from being able to create files in directories
they don't have permissions to create files in.
This module abuses this vulnerability to perform a DLL hijacking attack against the
Microsoft Storage Spaces SMP service, which grants the attacker code execution as the
NETWORK SERVICE user. Users are strongly encouraged to set the PAYLOAD option to one
of the Meterpreter payloads, as doing so will allow them to subsequently escalate their
new session from NETWORK SERVICE to SYSTEM by using Meterpreter's "getsystem" command
to perform RPCSS Named Pipe Impersonation and impersonate the SYSTEM user.
- James Foreshaw
- Grant Willcox