Windows Kernel Bug May Bypass User Account ControlNovember 27, 2010 – 8:37 AM
Another 0-day bug on the Windows platform is affecting win32k.sys (a critical component of the Windows kernel), and this time, the approach seems to pose a major challenge to the security world. This vulnerability is triggered by a buffer overflow in the kernel file, which allows code to bypass UAC on Windows Vista and Windows 7.
More to the point, this security flaw is affecting the RtlQueryRegistryValues API, which is used to query multiple registry values by a query table, with the EntryContext field as output buffer. In order to successfully exploit the flaw, it is mandatory that the attacker create a malformed Registry key, or to be able to manipulate a Registry key that is available with only user rights. Due to the nature of the flaw, we won’t detail more on the matter.
Suffice to say that a working proof of concept has been publicly available for a few hours on an extremely popular programming website. The demonstration included a step-by-step tutorial, as well as binary and source code needed to defeat the UAC.