Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Privilege escalation 0-day in almost all Windows versions - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Privilege escalation 0-day in almost all Windows versions

Today proof of concept code (source code, with a compiled binary) of a 0-day privilege escalation vulnerability in almost all Windows operating system versions (Windows XP, Vista, 7, Server 2008 ...) has been posted on a popular programming web site.

The vulnerability is a buffer overflow in kernel (win32k.sys) and, due to its nature allows an attacker to bypass User Access Control (UAC) on Windows Vista and 7 operating systems.
What’s interesting is that the vulnerability exist in a function that queries the registry so in order to exploit this the attacker has to be able to create a special (malicious) registry key. Author of the PoC managed to find such a key that can be created by a normal user on Windows Vista and 7 (so, a user that does not even have any administrative privileges).

The PoC code creates such a registry key and calls another library which tries to read the key and during that process it ends up calling the vulnerable code in win32k.sys.
Since this is a critical area of the operating system (the kernel allows no mistakes), the published PoC only works on certain kernel versions while on others it can cause a nice BSOD. That being said, the code can be probably relatively easily modified to work on other kernel versions.

We are not aware of any exploitation of this vulnerability at the moment and, since it can be exploited only locally, it obviously depends on another attack vector, but knowing how users can be easy on clicking on unknown files, this is definitely something we will keep our eye on and post updates if we see exploitation.

The PoC has been in the mean time removed from the original site but now that it has been published I’m sure that everyone who wants to get it can do that easily.



I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Pen Test Hackfest Europe 2022 - Berlin


403 Posts
ISC Handler
Nov 24th 2010
Interestingly, another privilege escalation vulnerability -in task scheduler- published last weekend (apparently used by the Stuxnet worm) didn't receive much media attention, see

Unbelievable that Microsoft's most "secure" operating systems (w7/w2k8) seem to use crc32 instead of a secure hash.
Erik van Straten

129 Posts
Yes, when searching for more details on the item mentioned in the article, I came across this which is the actual exploit mentioned by the above comment. I didn't analyze the exploit in detail, but it appears to me that MS must use a CRC-32 to "protect" the schedule... which is totally lame if that is the case.
A little bit more on and some more infos on - the later including kind of a workaround.
MS seems to be/may be aware of the issue acording to
Why not mention as it has been taken down? Sure enough, there are detailed infos all around (e.g.
Are you sure this will work on Windows XP too? There's no HKCU\EUDC registry key...
@Ottmar, as can be read in , the actual vulnerability is in the function RtlQueryRegistryValues - which, according to , is available in Windows 2000 and later versions of Windows (although this doesn't mean all versions are vulnerable, this seems quite likely).

In the specific exploit, the publisher looked for a registry key that meets 2 criteria:

- it is writable by a non-privileged user;

- a kernel-mode OS function (GDI in this case) can be triggered to read a value from that specific registry key.

So the EUDC registry key is just one vector, others may exist.
Erik van Straten

129 Posts

Sign Up for Free or Log In to start participating in the conversation!