This research introduces "Redux," an advanced exploitation method for the False File Immutability (FFI) vulnerability class in Windows. Unlike earlier versions that relied on network redirectors and SMB setups, Redux leverages the built-in Windows Cloud Files capability (cldflt.sys) to achieve file modification bypasses. By exploiting how the kernel driver processes file data, an attacker can modify files that the Windows kernel incorrectly assumes are immutable, enabling a streamlined kernel exploit without external network dependencies.
The vulnerability is particularly critical because it bypasses previous Microsoft mitigations and remains functional on several fully-patched versions of Windows. The article provides a deep dive into the technical mechanics of the bypass, demonstrating how kernel APIs like FltWriteFileEx can be manipulated to perform paging writes on non-writable file objects. Security analysts are provided with mitigation strategies, including a filesystem minifilter approach to block the specific IRP operations used by the exploit.
Top comments (0)