Description

Microsoft patched several Windows vulnerabilities last week. One of the vulnerabilities was a Windows Kernel Registry Elevation of Privilege Vulnerability.  This vulnerability exists when the Windows Kernel API improperly handles registry objects in memory.

 

The vulnerability found and reported by Mauro Leggieri who is VP of Engineering at TRAPMINE. Thanks to MJ0011 who is Head of 360Vulcan Team for the analysis report of this vulnerability below;

 

Analysis

The root cause of this vulnerability is a double dereference bug. The kernel uses ObReferenceObjectByHandle to obtain the corresponded kernel object of supplied handles. For registry NTAPIs, the kernel accepts a special kind of registry key handle: “predefined handles”.

It’s possible to create this kind of registry key by setting options on NtCreateKey to REG_OPTION_PREDEF_HANDLE. When facing such kind of handle, the kernel doesn’t allow these keys to be deleted/renamed/modified etc. from NTAPIs. So they use a function named CmObReferenceObjectByHandle.

In CmObReferenceObjectByHandle, it actually directly calls ObReferenceObjectByHandle to check the key before it used. If the object’s key body type is a predefined handle, the function will return status: STATUS_INVALID_HANDLE, and de-reference the key body object. The problem is the output parameter “Object” is already overwritten by ObReferenceObjectByHandle and may affect to the caller function.

If the caller function of CmObReferenceObjectByHandle use the returned “Object” to determine whether need to use ObDerefeneceObject to de-reference it, instead of check the returned ntstatus, it will cause a double-dereference on the key body object. If the caller function of CmObReferenceObjectByHandle use the returned “Object” instead of checking the returned status, it will cause a double-dereference on the key body object.

 

Exploitability
It’s a double dereference and it would be exploitable by using race condition however it’s a bit tricky. Microsoft scored this vulnerability as “Important” and defined it as “Exploitation More Likely”.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8410

 

Proof of Concept Code

https://www.trapmine.com/codes/CVE-2018-8410.cpp.txt