The Immutable Illusion: Pwning Your Kernel with Cloud Files

This report details discovery and exploitation of a Windows vulnerability class called False File Immutability (FFI), showing how Cloud Files and filter APIs (e.g., FltWriteFileEx with paging I/O and IO_IGNORE_SHARE_ACCESS_CHECK semantics) can be abused to overwrite files the kernel treats as immutable (EXEs/DLLs). The authors present experiments and PoC exploits (Redux, GodFault-Redux) that achieve arbitrary code execution and privilege escalation in Protected Process Light contexts, describe a mitigation (minifilter blocking specific section-acquire operations) and provide disclosure/remediation status for affected Windows versions.