Microsoft Windows RtlQueryRegistryValues() does not adequately validate registry data

2010-11-26T00:00:00
ID VU:529673
Type cert
Reporter noobpwnftw
Modified 2010-11-26T00:00:00

Description

Overview

Microsoft Windows does not adequately validate registry data read using the function RtlQueryRegistryValues(``). By modifying an EUDC registry key value, a local user could execute arbitrary code with SYSTEM privileges.

Description

Microsoft Windows supports end-user-defined characters (EUDC) to allow users to define custom unicode characters. The Windows kernel (win32k.sys) graphics device interface (GDI) reads the EUDC registry key for font information. More specifically, GreEnableEudc() uses RtlQueryRegistryValues() to read HKCU\EUDC\{codepage}\SystemDefaultEUDCFont. In this case RtlQueryRegistryValues() expects to read a REG_SZ (string) value into a buffer whose length and contents are determined by the type and value of SystemDefaultEUDCFont.

By default, an unprivileged user has access to modify the EUDC registry key. Furthermore, RtlQueryRegistryValues() does not validate the data read from SystemDefaultEUDCFont.

By changing the type and data of SystemDefaultEUDCFont and enabling EUDC, an attacker can overwrite kernel memory.

Publicly available exploit code targets Windows Vista, Windows 7, and Windows Server 2008 platforms. Windows XP and Windows Server 2003 may also be affected.


Impact

An unprivileged local user can execute arbitrary code with SYSTEM privileges.


Solution

We are currently unaware of a complete solution to this problem.


Restrict access to EUDC registry key

Change the ACL on the EUDC registry key to prevent modifications. The EUDC key is in user registry hives so it may be necessary to make the change under HKCU and all the HKEY_USERS\* subkeys.

Preventing users from changing the types and data in EUDC registry key values will block the specific attack vector described in the initial public disclosure of this vulnerability. There may be other attack vectors in which RtlQueryRegistryValues()is used by the kernel to read registry user-modifiable registry values.


Vendor Information

Vendor| Status| Date Notified| Date Updated
---|---|---|---
Microsoft Corporation| | -| 26 Nov 2010
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A

References

  • <http://secunia.com/advisories/42356>
  • <http://www.exploit-db.com/exploits/15609/>
  • <http://moonslab.com/1195>
  • <http://nakedsecurity.sophos.com/2010/11/25/new-windows-zero-day-flaw-bypasses-uac/>
  • <http://isc.sans.edu/diary.html?storyid=9988>
  • <http://www.prevx.com/blog/160/New-Windows-day-exploit-speaks-chinese.html>
  • <http://msdn.microsoft.com/en-us/library/dd317836%28VS.85%29.aspx>

Credit

This vulnerability was publicly disclosed by noobpwnftw.

This document was written by Art Manion.

Other Information

  • CVE IDs: Unknown
  • Date Public: 24 Nov 2010
  • Date First Published: 26 Nov 2010
  • Date Last Updated: 26 Nov 2010
  • Severity Metric: 15.94
  • Document Revision: 10