Elementrica
03Case Studies04References05Company06News07Contact
PLENDE

Windows LPE: MiniPlasma and the return of the (un)patched CVE-2020-17103

ElementricaElementrica5 min
Windows LPE: MiniPlasma and the return of the (un)patched CVE-2020-17103

Some vulnerabilities sound dull on a conference slide and in practice turn an ordinary employee account into the administrator of the whole machine in seconds. A researcher who goes by Nightmare-Eclipse just published working code on GitHub that does exactly that on a fully patched Windows. He called it MiniPlasma. The twist: the flaw it abuses was officially patched more than five years ago.

What MiniPlasma is

MiniPlasma is an LPE exploit, that is, local privilege escalation. The Nightmare-Eclipse/MiniPlasma repository is not a write-up or a conference slide. It is a finished, weaponized proof of concept.

We ran it in our own lab. The exploit starts from an ordinary, low-privileged user account and in a fraction of a second hands back a command prompt running as SYSTEM, the highest privilege on the box. It works on fully patched machines, Windows 11 included. From that point on, the attacker does whatever they want with the computer.

Sounds like it needs a break-in first? It does. But in large Active Directory networks, getting one of those low-privileged accounts is rarely the hard part. One captured and cracked NetNTLMv2 hash, or a successful NTLM Relaying, and the attacker is inside, ready to dump the SAM password database and climb higher.

An old flaw in new clothes

The unsettling part is that MiniPlasma breaks no new ground. Underneath is a vulnerability cataloged long ago as CVE-2020-17103, in the cldflt.sys cloud filter driver.

This component is active by default in every modern version of Windows, because it handles OneDrive and the files-on-demand mechanism. In other words, the vulnerable piece of the system is switched on at your place even if you never knowingly used OneDrive.

Microsoft officially removed this flaw in December 2020. The problem is that the patch either never worked properly or a regression crept in along the way. The result: five years later, the same hole can be exploited again.

Why this is a real problem, not theory

Privilege escalation is rarely the goal in itself. It is a link. It is the part of the chain that turns a small foothold into a full network takeover, and in the worst case into ransomware that encrypts everything top to bottom.

Our own engagements show that once an attacker has SYSTEM on a single workstation, a few things are within reach:

  • a dump of the NTLM hashes of every account logged into that machine (in Windows a hash is as good as the password), which opens the door to more accounts,
  • the local administrator password, which without MS LAPS is often identical across dozens of computers at once,
  • full access to network resources and services visible from that workstation, a ready starting point for lateral movement.

One vulnerable workstation, one reused local admin, and suddenly the map of the whole network belongs to someone else.

What to do about it

No scare tactics for their own sake: this can be handled. Two things give you the biggest return here.

  • Keep your EDR current and take it seriously. Endpoint Detection and Response vendors watch public exploit repositories, including the ones under the Nightmare-Eclipse name, and add detection rules for new code fast. A current EDR has a real chance to catch and block an attempt to run this PoC. An outdated one catches nothing.
  • Test yourself regularly instead of guessing. A penetration test answers two questions no slide can settle. First: whether an attacker in your infrastructure can even get that low-privileged account where everything starts. Second: whether LPE escalations actually work in your environment and what they really give an attacker.

A five-year-old patch, a component no one switched on on purpose, and an employee account that suddenly becomes SYSTEM. This is what security often looks like: the most interesting things happen in the places no one is watching. When did someone at your company last check where a single ordinary user account really leads?

See where a single account leads in your network

Book a free consultation and we will plan a penetration test that shows whether privilege escalations like MiniPlasma actually work in your infrastructure.

Previous
One link was all it took for your Copilot to work for someone else
Next
We're building E-Zero, one platform for the whole security project