Information
- Language: English
- Conference: REcon
- Location: Montreal, Canada
- Date: June 2024
- Speaker(s): Mateusz ‘j00ru’ Jurczyk
Slides
Abstract
Have you ever wondered what lies beneath the graphical interface of the Windows Registry Editor? Despite regedit’s unchanged appearance for over 20 years, the underlying kernel registry implementation is far more complex than it seems. From roughly 10,000 lines of decompiled code in Windows NT 3.1 to ten times as many in Windows 11, the registry codebase has seen massive growth throughout its existence. In large part, this is due to introducing new features like transactions, app keys and differencing hives, which may not be obvious to the casual user, but their added complexity certainly affects system security and opens the door to potential local privilege escalation exploits.
Recognizing this vast attack surface, I spent many months in 2022 and 2023 immersed in a thorough audit of the Windows Configuration Manager (the registry’s kernel subsystem). This research uncovered over 50 vulnerabilities, ranging from simple coding errors to intricate design flaws that prompted significant code refactors by Microsoft. In this talk, I’ll share my registry bug taxonomy, classifying vulnerabilities based on the level of understanding needed to uncover them – from easily “greppable” bugs to deeply hidden logic flaws. Each category will be accompanied by a detailed case study of a recently discovered registry bug. Expect a lot of Windows internals, technical analysis, and some exciting exploit demos.