Vulnerability Note VU#529673

Microsoft Windows RtlQueryRegistryValues() does not adequately validate registry data

Original Release date: 26 Nov 2010 | Last revised: 26 Nov 2010

Overview

Microsoft Windows does not adequately validate registry data read using the function RtlQueryRegistryValues(). By modifying an EUDC registry key value, a local user could execute arbitrary code with SYSTEM privileges.

Description

Microsoft Windows supports end-user-defined characters (EUDC) to allow users to define custom unicode characters. The Windows kernel (win32k.sys) graphics device interface (GDI) reads the EUDC registry key for font information. More specifically, GreEnableEudc() uses RtlQueryRegistryValues() to read HKCU\EUDC\{codepage}\SystemDefaultEUDCFont. In this case RtlQueryRegistryValues() expects to read a REG_SZ (string) value into a buffer whose length and contents are determined by the type and value of SystemDefaultEUDCFont.

By default, an unprivileged user has access to modify the EUDC registry key. Furthermore, RtlQueryRegistryValues() does not validate the data read from SystemDefaultEUDCFont.

By changing the type and data of SystemDefaultEUDCFont and enabling EUDC, an attacker can overwrite kernel memory.

Publicly available exploit code targets Windows Vista, Windows 7, and Windows Server 2008 platforms. Windows XP and Windows Server 2003 may also be affected.

Impact

An unprivileged local user can execute arbitrary code with SYSTEM privileges.

Solution

We are currently unaware of a complete solution to this problem.

Restrict access to EUDC registry key

Change the ACL on the EUDC registry key to prevent modifications. The EUDC key is in user registry hives so it may be necessary to make the change under HKCU and all the HKEY_USERS\* subkeys.

Preventing users from changing the types and data in EUDC registry key values will block the specific attack vector described in the initial public disclosure of this vulnerability. There may be other attack vectors in which RtlQueryRegistryValues()is used by the kernel to read registry user-modifiable registry values.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected-26 Nov 2010
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was publicly disclosed by noobpwnftw.

This document was written by Art Manion.

Other Information

  • CVE IDs: Unknown
  • Date Public: 24 Nov 2010
  • Date First Published: 26 Nov 2010
  • Date Last Updated: 26 Nov 2010
  • Severity Metric: 15.94
  • Document Revision: 10

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.