One Article Review
| Source |  ProjectZero |
|---|---|
| Identifiant | 8484833 |
| Date de publication | 2024-04-18 09:53:59 (vue: 2024-04-18 17:06:42) |
| Titre | The Windows Registry Adventure # 1: Résultats d'introduction et de recherche The Windows Registry Adventure #1: Introduction and research results |
| Texte | Posted by Mateusz Jurczyk, Google Project Zero In the 20-month period between May 2022 and December 2023, I thoroughly audited the Windows Registry in search of local privilege escalation bugs. It all started unexpectedly: I was in the process of developing a coverage-based Windows kernel fuzzer based on the Bochs x86 emulator (one of my favorite tools for security research: see Bochspwn, Bochspwn Reloaded, and my earlier font fuzzing infrastructure), and needed some binary formats to test it on. My first pick were PE files: they are very popular in the Windows environment, which makes it easy to create an initial corpus of input samples, and a basic fuzzing harness is equally easy to develop with just a single GetFileVersionInfoSizeW API call. The test was successful: even though I had previously fuzzed PE files in 2019, the new element of code coverage guidance allowed me to discover a completely new bug: issue #2281. For my next target, I chose the Windows registry. That\'s because arbitrary registry hives can be loaded from disk without any special privileges via the RegLoadAppKey API (since Windows Vista). The hives use a binary format and are fully parsed in the kernel, making them a noteworthy local attack surface. Furthermore, I was also somewhat familiar with basic harnessing of the registry, having fuzzed it in 2016 together with James Forshaw. Once again, the code coverage support proved useful, leading to the discovery of issue #2299. But when I started to perform a root cause analysis of the bug, I realized that: The hive binary format is not very well suited for trivial bitflipping-style fuzzing, because it is structurally simple, and random mutations are much more likely to render (parts of) the hive unusable than to trigger any interesting memory safety violations.On the other hand, the registry has many properties that make it an attractive attack |
| Envoyé | Oui |
| Condensat | #1: #2281 #2299 #2375 was #2392 and #2408 as #2508 🙂research 11exploitability 2016 together 2019 2022 2023 2024 21675 21747 21748 21749 21750 21772 21773 21774 21776 2295 2297 2299 2318 2330 2332 2341 23420 23421 23422 23423 2344 2359 2366 2369 2375 2378 2379 2389 2392 2394 2408 2410 2418 2419 2433 2445 2446 2447 2449 2452 2454 2456 2457 2462 2463 2464 2466 2479 2480 2492 2511 26173 26174 26176 26177 26178 26181 26182 28248 28271 28272 28293 30+ 32/64 32019 34707 34708 35356 35357 35358 35382 35386 35633 35768 36403 36404 36576 36803 37956 37988 37990 37991 38037 38038 38039 38139 38140 38141 38154 44683 6 of 84046 84131 84149 84228 84237 84263 about access accessesroot accessible accessing according addressed advanced adventure affected after again all allowed allows already also amusing analysis announce any anything api applications/servicesentry apr arbitrary are as: assessment atomic attack attractive audit audited aug average aware back bad based basic became because been before behavior being believed below: better between binary bit bitflipping blanket blink blog bluehat bochs bochspwn both bounds broken buffer bug bug: bugs bulletin but bypass cache call callbacks came can capability case cases cause cell channels chart check check/time chose classes classified classify closed cmdeletelayeredkey cmpaddsubkeyex cmpcheckvaluelist cmpcleanuplightweightprepare cmpdoredocreatekey/cmpdoreopentranskey cmplightweightpreparesetsecdescuow cmpundodeletekeyfortrans cmpvalidatehivesecuritydescriptors code community completely complex compromise conditions configuration confused confusion considerations:hive considered containerized contracts corpus corrupted corruption corruption: temporal count counting course coverage create creating creation curious current cursory cve cves dangling data database dataexploitation day days deadline dec december decided deeper delete deletion demonstrate denial depending deputy descriptor descriptors detail determine detour develop developed developing did differencing difficult direct disclosure discover discovery discrepancy disk dive diversity document doesn drivers due during each earlier easier easy effectively effort either element elevate elevation emulator enable engineer environment equally errors escalation escape especially etc even example exhausting exhaustion exhibit experience exploit exploitability exploitation exploited exploits exploring factors failed familiar favorite feasibly feature features feb feel file filed files files: find findings first fix fixed following font format formats formatted forshaw four free from full fully functionality further furthermore future fuzzed fuzzer fuzzing generally get getfileversioninfosizew api github give google gpz groups guarantees guidance had half hand handling hard harness harnessing has have having healing highly hive hives hooked hours how however imagined impact implementation implementing implements implications impossible included including incompatible inconsistent incorrectly index indexes information infrastructure initial inner input instead insufficient integer interesting internally introduce introduction intrusive invalid invalid/controlled issue issues issues: c its itself james jan january journey jul jun jurczyk just kaslr kernel key keys knowledge known ktm largely layered lead leading leads leak leaking learn learned leave leaves levels: likely link linked links list lists loaded loading local locking log logic long low lpe made make makes making manager manual many mar march mateusz may meant mechanism memory memory/pointer memory: kernel met microsoft mishandling mode moderate moderate/hard month more msrc much multiple mutations names needed nevertheless new next node non none not noteworthy nov november ntnotifychangemultiplekeys ntrenamekey number numbers: oct october offensive/defensive old once one only oom operating operations option other out outcome outcomes overall overflow overflows paged parsed parsing partial particularly parts passes patch paths |
| Tags | Tool Vulnerability Threat Studies |
| Stories | |
| Notes | ★★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.