Skip to content

CVE-2024-30085

Cloud Files Mini Filter — missing size check before memcpy leads to heap overflow

Summary

Field Value
Driver cldflt.sys
Vulnerability Class Buffer Overflow / Bounds Check
Vulnerable Build 10.0.22621.3672 (KB5037853)
Fixed Build 10.0.22621.3733 (KB5039212)
Exploited ITW No

Affected Functions

  • HsmIBitmapNORMALOpen

Root Cause

The cldflt.sys driver is the Cloud Files Mini Filter, responsible for handling Windows Cloud Files operations such as those used by OneDrive placeholder files. It intercepts file system requests and manages the hydration and dehydration of cloud-backed files through reparse points.

The vulnerability resides in the handling of reparse point data during file operations. When the driver processes a crafted reparse buffer, it copies data from the reparse point structure into a heap-allocated buffer. However, the driver allocates the destination buffer based on one length field in the reparse structure but performs the actual memcpy using a different, larger length field from the same structure. This is a classic size mismatch bug: the allocation size is derived from one field while the copy length comes from a separate, attacker-controlled field that can specify a larger value.

The result is a heap buffer overflow -- the memcpy writes past the end of the allocated pool buffer and corrupts adjacent kernel pool allocations. Since the reparse point data and its length fields are ultimately user-controlled (constructed by creating and manipulating cloud file placeholder reparse points from user mode), the overflow size and content are both attacker-controlled.

AutoPiff categorizes this as bounds_check with detection rules:

  • added_len_check_before_memcpy

Exploitation

The heap overflow provides a relative write primitive into adjacent kernel pool allocations. Because the attacker controls both the overflow length and the data being written, they can precisely corrupt the contents of objects that have been placed in the pool immediately after the vulnerable allocation.

Exploitation relies on pool feng shui: the attacker sprays kernel objects of the correct size class to fill the pool segment, creating a deterministic layout where a known object type sits adjacent to the vulnerable buffer. When the overflow is triggered, it corrupts the header or data fields of that adjacent object. Star Labs demonstrated this technique using pipe attribute objects (allocated via NtFsControlFile) as the spray targets. Corrupting a pipe attribute gives a relative read/write primitive, which is then escalated to full arbitrary kernel read/write.

With arbitrary read/write established, the attacker performs the standard token-swapping privilege escalation: locate the _EPROCESS structure for the current process, copy the token from the SYSTEM process, and overwrite the current process token. The vulnerability is reachable entirely from user mode by creating and manipulating cloud file placeholder reparse points, making it a reliable local privilege escalation vector.

Patch Analysis

The patch shipped in KB5039212 (build 10.0.22621.3733) added a bounds check before the memcpy call. In the vulnerable version, the driver used the reparse data length field directly as the copy size without comparing it against the allocated buffer size. The patched code validates that the reparse data length does not exceed the destination buffer size before performing the copy, returning an error status if the check fails.

AutoPiff detects this change via the added_len_check_before_memcpy rule, which identifies patches that introduce a length or size comparison guard on a previously unchecked memory copy operation.

Detection

YARA Rule

rule CVE_2024_30085_cldflt_sys {
    meta:
        description = "Detects vulnerable version of cldflt.sys (pre-patch)"
        cve = "CVE-2024-30085"
        author = "KernelSight"
        severity = "high"
    strings:
        $mz = { 4D 5A }
        $driver_name = "cldflt.sys" wide ascii nocase
        $version = "10.0.22621.3672" wide ascii
        $bitmap_open = "HsmIBitmapNORMALOpen" ascii
        $cloud_filter = "CldFlt" wide ascii
    condition:
        $mz at 0 and $driver_name and $version and ($bitmap_open or $cloud_filter)
}

ETW Indicators

Provider Event / Signal Relevance
Microsoft-Windows-CloudFiles Cloud file placeholder operations Monitors reparse point creation and hydration requests handled by cldflt.sys, which are the entry point for triggering the vulnerable memcpy path
Microsoft-Windows-Kernel-Audit Pool allocation integrity events Detects kernel pool corruption resulting from the heap overflow past the allocated buffer boundary
Microsoft-Windows-Security-Auditing Event 4672 — Special privileges assigned Fires when the exploiting process gains SYSTEM privileges following successful pool corruption and token swap
Microsoft-Windows-Kernel-Process Process token modification Detects runtime token replacement on the attacking process after arbitrary R/W is achieved through corrupted pipe attributes
Microsoft-Windows-Kernel-IoTrace File system minifilter I/O tracing Captures the reparse point manipulation IOCTLs (FSCTL_SET_REPARSE_POINT) sent to trigger the vulnerable code path in cldflt.sys

Behavioral Indicators

  • A user-mode process creates cloud file placeholder reparse points with crafted reparse data where the data length field exceeds the allocation size field, triggering the size-mismatch heap overflow in HsmIBitmapNORMALOpen
  • Kernel pool spray activity using NtFsControlFile to allocate pipe attribute objects of a specific size class, positioning them adjacent to the vulnerable cldflt.sys buffer allocation for deterministic corruption
  • Pool corruption manifests as overwritten pipe attribute headers or data fields immediately following the cldflt.sys allocation, providing the attacker a relative read/write primitive
  • The exploiting process transitions from medium integrity to SYSTEM integrity by performing a token swap (copying SYSTEM EPROCESS token to its own token field) using the arbitrary R/W primitive escalated from the pipe attribute corruption
  • Failed exploitation attempts produce BAD_POOL_HEADER or PAGE_FAULT_IN_NONPAGED_AREA bugchecks with cldflt.sys on the faulting stack, indicating pool metadata corruption from an oversized memcpy

References