MiniPlasma
A vulnerability in the cldflt!HsmOsBlockPlaceholderAccess routine, previously reported by James Forshaw of Google Project Zero and supposedly patched as CVE-2020-17103, remains unpatched in Windows. The original proof-of-concept exploit still works, allowing for potential privilege escalation to SYSTEM. Researcher MiniPlasma demonstrated the issue by weaponizing the PoC to spawn a SYSTEM shell, indicating a possible failure in Microsoft's patching process.
- ▪The cldflt!HsmOsBlockPlaceholderAccess routine is still vulnerable to the same issue reported by James Forshaw six years ago.
- ▪The original proof-of-concept from Google Project Zero works without modification, indicating the vulnerability was never properly patched.
- ▪MiniPlasma weaponized the exploit to spawn a SYSTEM shell, demonstrating active exploitation potential.
- ▪It is unclear whether Microsoft never applied the fix or silently rolled back the patch for unknown reasons.
- ▪All Windows versions may be affected due to the presence of the unpatched vulnerability.
Opening excerpt (first ~120 words) tap to expand
MiniPlasma After re-investigating the technique used in GreenPlasma (specifically SetPolicyVal), it turns out cldflt!HsmOsBlockPlaceholderAccess is still vulnerable to the exact same issue that was reported to Microsoft 6 years ago. I'm not taking full credit for this, James Forshaw from google project zero found the vulnerability and reported it to Microsoft and was supposedly fixed as CVE-2020-17103. However, a research who's a friend of mine pointed out that the routine might still have a vulnerability, which is something I considered but brushed off because I thought it was impossible for Microsoft to just not patch this or rollback the patch.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at GitHub.