Windows Kernel Bug May Bypass User Account Control

The privilege escalation flaw allows standard users to execute arbitrary code in kernel mode

Another 0-day bug on the Windows platform is affecting win32k.sys (a critical component of the Windows kernel), and this time, the approach seems to pose a major challenge to the security world. This vulnerability is triggered by a buffer overflow in the kernel file, which allows code to bypass UAC on Windows Vista and Windows 7.

More to the point, this security flaw is affecting the RtlQueryRegistryValues API, which is used to query multiple registry values by a query table, with the EntryContext field as output buffer. In order to successfully exploit the flaw, it is mandatory that the attacker create a malformed Registry key, or to be able to manipulate a Registry key that is available with only user rights. Due to the nature of the flaw, we won’t detail more on the matter.

Suffice to say that a working proof of concept has been publicly available for a few hours on an extremely popular programming website. The demonstration included a step-by-step tutorial, as well as binary and source code needed to defeat the UAC.

Proof-of-convept exploit code

The call to EnableEUDC will trigger the bug

Since the win32k.sys bug is currently unpatched and code was publicly exposed, we expect to see it used in malware soon-ish. We are aware of the situation and we’re working on a generic detection scheme to prevent malicious code from reaching the kernel.

In the meantime, make sure to avoid downloading files from untrusted locations. Also, if you haven’t done this yet, you should consider installing and updating an antivirus solution.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.