Software safety is an ongoing battle. During assurance 2010, Gynvael Coldwind and I gave a presentation titled "Case survey of fresh Windows vulnerabilities", in which we discussed a number of issues in the Windows kernel implementation of the registry.
One of them was CVE-2010-0237, a bug that allowed abusing symbolic links to carry out a "confused deputy" attack, by tricking the privileged winlogon.exe process into reading and writing arbitrary registry keys on the attacker's behalf.
The problem was subsequently fixed by introducing stricter checks around registry symlinks, and the bug class was meant to forever fade into obscurity. Or so we thought.
Over a decade later, in May 2022, I revisited the safety model of the Windows registry erstwhile again. 1 of my most interesting findings was the concept of alleged "predefined keys" - a legacy, barely utilized part of the hive format that turned out to be mishandled in a number of kernel functions, leading to respective memory corruption bugs. But the biggest realization was that predefined keys, fundamentally a kind of symbolic link, weren't full mitigated back in 2010.
Consequently, it was inactive possible to reconstruct the first confused deputy attack on up to and including Windows 11, before Microsoft deprecated support for predefined keys entirely last year. This talk will walk you through my investigation process, explain the method details behind the bugs, and showcase a successful privilege escalation exploit. This way, I hope to item the dangers associated with maintaining legacy code and the importance of reducing attack surface in software.
More: https://confidence-conference.org/
![[#105] Cyberprzestępczość - perspektywa prawno-karna - Zbigniew Krüger](https://i1.ytimg.com/vi/SzwplHxsBW8/maxresdefault.jpg)
