search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Windows RtlQueryRegistryValues() does not adequately validate registry data

Vulnerability Note VU#529673

Original Release Date: 2010-11-26 | Last Revised: 2010-11-26

Overview

Microsoft Windows does not adequately validate registry data read using the function RtlQueryRegistryValues(). By modifying an EUDC registry key value, a local user could execute arbitrary code with SYSTEM privileges.

Description

Microsoft Windows supports end-user-defined characters (EUDC) to allow users to define custom unicode characters. The Windows kernel (win32k.sys) graphics device interface (GDI) reads the EUDC registry key for font information. More specifically, GreEnableEudc() uses RtlQueryRegistryValues() to read HKCU\EUDC\{codepage}\SystemDefaultEUDCFont. In this case RtlQueryRegistryValues() expects to read a REG_SZ (string) value into a buffer whose length and contents are determined by the type and value of SystemDefaultEUDCFont.

By default, an unprivileged user has access to modify the EUDC registry key. Furthermore, RtlQueryRegistryValues() does not validate the data read from SystemDefaultEUDCFont.

By changing the type and data of SystemDefaultEUDCFont and enabling EUDC, an attacker can overwrite kernel memory.

Publicly available exploit code targets Windows Vista, Windows 7, and Windows Server 2008 platforms. Windows XP and Windows Server 2003 may also be affected.

Impact

An unprivileged local user can execute arbitrary code with SYSTEM privileges.

Solution

We are currently unaware of a complete solution to this problem.

Restrict access to EUDC registry key

Change the ACL on the EUDC registry key to prevent modifications. The EUDC key is in user registry hives so it may be necessary to make the change under HKCU and all the HKEY_USERS\* subkeys.

Preventing users from changing the types and data in EUDC registry key values will block the specific attack vector described in the initial public disclosure of this vulnerability. There may be other attack vectors in which RtlQueryRegistryValues()is used by the kernel to read registry user-modifiable registry values.

Vendor Information

529673
 
Affected   Unknown   Unaffected

Microsoft Corporation

Updated:  November 26, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

This vulnerability was publicly disclosed by noobpwnftw.

This document was written by Art Manion.

Other Information

CVE IDs: None
Severity Metric: 15.94
Date Public: 2010-11-24
Date First Published: 2010-11-26
Date Last Updated: 2010-11-26 22:40 UTC
Document Revision: 10

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.