Windows Registry Deja Vu: The Return of Confused Deputies (CONFidence 2024)


  • Language: English
  • Conference: CONFidence
  • Location: Krakow, Poland
  • Date: May 2024
  • Speaker(s): Mateusz ‘j00ru’ Jurczyk



Software security is an ongoing battle. During CONFidence 2010, Gynvael Coldwind and I gave a presentation titled “Case study of recent Windows vulnerabilities”, in which we discussed a number of issues in the Windows kernel implementation of the registry. One of them was CVE-2010-0237, a bug that allowed abusing symbolic links to carry out a “confused deputy” attack, by tricking the privileged winlogon.exe process into reading and writing arbitrary registry keys on the attacker’s behalf. The problem was subsequently fixed by introducing stricter checks around registry symlinks, and the bug class was meant to forever fade into obscurity. Or so we thought.

Over a decade later, in May 2022, I revisited the security model of the Windows registry once again. One of my most interesting findings was the concept of so-called “predefined keys” – a legacy, hardly used part of the hive format that turned out to be mishandled in a number of kernel functions, leading to several memory corruption bugs. But the biggest realization was that predefined keys, essentially a type of symbolic link, weren’t fully mitigated back in 2010. Consequently, it was still possible to reconstruct the original confused deputy attack on up to and including Windows 11, before Microsoft deprecated support for predefined keys entirely last year. This talk will walk you through my research process, explain the technical details behind the bugs, and showcase a successful privilege escalation exploit. This way, I hope to highlight the dangers associated with maintaining legacy code and the importance of reducing attack surface in software.