C/C++ checklist challenges, solved
The article details two C/C++ security vulnerabilities based on code challenges. The first is a Linux command injection flaw caused by the inetntoa function's global buffer reuse and inetaton accepting trailing garbage. The second is a Windows driver Local Privilege Escalation (LPE) vulnerability stemming from missing RTLQUERYREGISTRYTYPECHECK flags during RtlQueryRegistryValues API calls. This omission allows attackers to leverage registry type confusion (e.g., using REGBINARY or REGSZ instead of REGDWORD) to overwrite kernel stack memory via writable keys in trusted system hives.
Authors: Trail of Bits
Source:
Trail of Bits
- registry_key\REGISTRY\MACHINE\SOFTWARE\Microsoft\DRMTrusted system hive registry key identified as writable by low-integrity processes, potentially abused for registry type confusion exploits.
- registry_key\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PlayReady\TroubleshooterTrusted system hive registry key identified as writable by low-integrity processes, potentially abused to plant controlled registry values.
Detection / HunterGoogle
What Happened
Security researchers have published solutions to two coding challenges that highlight common but dangerous software bugs. The first bug affects Linux programs, where improper handling of IP addresses can allow an attacker to run malicious commands. The second bug affects Windows drivers, where failing to verify the type of data read from the Windows Registry can allow an attacker to crash the system or gain full control over it. These issues highlight why developers must strictly validate all input and use modern, safer coding practices. Software developers should review their code for these specific vulnerable functions and apply the recommended security checks.
Key Takeaways
- The Linux inet_ntoa function returns a pointer to a global buffer, meaning subsequent calls overwrite previous outputs, which can bypass security checks.
- The Linux inet_aton function accepts trailing garbage, enabling command injection if the parsed input is later passed to a system shell.
- Windows drivers using RtlQueryRegistryValues with RTL_QUERY_REGISTRY_DIRECT must include the RTL_QUERY_REGISTRY_TYPECHECK flag to prevent type confusion.
- Without type checking, attackers can supply REG_SZ or REG_BINARY values instead of REG_DWORD to overwrite kernel stack memory and achieve Local Privilege Escalation (LPE).
- Low-integrity processes can write to specific trusted system hives (e.g., Microsoft\DRM), bypassing some mitigations against untrusted registry reads.
Affected Systems
- Linux (C/C++ applications using inet_ntoa/inet_aton)
- Windows (Drivers using RtlQueryRegistryValues without type checks)
Vulnerabilities (CVEs)
- MS11-011
Attack Chain
The attacker first identifies a vulnerable Windows driver that reads registry values without type checking. They then find a writable registry key within a trusted system hive, such as the DRM key, which is accessible even from a low-integrity process. The attacker populates this key with a crafted REG_BINARY or REG_SZ value instead of the expected REG_DWORD. When the driver reads this value, a type confusion occurs, allowing the attacker to overwrite kernel stack memory, hijack a function pointer, and execute arbitrary code with kernel privileges.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide traditional detection rules (YARA/Sigma) but introduces a Claude AI skill ('c-review') designed to identify these vulnerabilities during static code analysis.
Detection Engineering Assessment
EDR Visibility: Medium — EDRs can monitor registry modifications, especially to sensitive or unusual keys by low-integrity processes, and can detect KERNEL_SECURITY_CHECK_FAILURE (0x139) bugchecks resulting from failed exploits. Network Visibility: None — The vulnerabilities discussed are local privilege escalation and local command injection flaws; no network traffic is inherently generated by the exploitation phase itself. Detection Difficulty: Hard — Distinguishing malicious registry type confusion from legitimate driver registry reads is difficult without deep kernel-level introspection or specific knowledge of the vulnerable driver.
Required Log Sources
- Windows System Event Log (Bugchecks)
- Sysmon Event ID 12 (RegistryEvent)
- Sysmon Event ID 13 (RegistryEvent)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Low-integrity processes modifying registry keys within trusted system hives (e.g., HKLM\SOFTWARE\Microsoft\DRM) may indicate preparation for a registry-based privilege escalation exploit. | Sysmon Event ID 12/13 or EDR registry telemetry correlated with process integrity levels. | Privilege Escalation | Low |
| Unexpected KERNEL_SECURITY_CHECK_FAILURE (0x139) bugchecks may indicate failed attempts to exploit registry type confusion vulnerabilities in drivers. | Windows System Event Log (Event ID 1001 - BugCheck). | Execution | Medium |
Control Gaps
- Lack of strict type checking in legacy Windows APIs
- Global buffer reuse in legacy C standard library functions
Key Behavioral Indicators
- Low-integrity process writing to HKLM\SOFTWARE\Microsoft\DRM
- Process creating REG_BINARY or REG_SZ values where REG_DWORD is expected by a driver
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Review C/C++ codebases for uses of inet_ntoa and replace with thread-safe alternatives like inet_ntop.
- Ensure all RtlQueryRegistryValues calls using RTL_QUERY_REGISTRY_DIRECT also include the RTL_QUERY_REGISTRY_TYPECHECK flag.
Infrastructure Hardening
- Audit registry permissions to ensure low-integrity processes cannot write to trusted system hives unless absolutely necessary.
User Protection
- Run applications with the lowest necessary privileges (e.g., Low Integrity Level) to limit the impact of potential exploits, though note this does not prevent all registry-based attacks.
Security Awareness
- Educate developers on the dangers of legacy C functions and the importance of strict type validation when interacting with the Windows Registry.
MITRE ATT&CK Mapping
- T1068 - Exploitation for Privilege Escalation
- T1112 - Modify Registry
- T1059.004 - Command and Scripting Interpreter: Unix Shell
Additional IOCs
- Urls:
hxxps://github[.]com/trailofbits/skills- Repository for the Claude c-review skill used for static code analysis.
- Registry Keys:
\REGISTRY\MACHINE\HARDWARE- Trusted system hive mentioned in the context of RtlQueryRegistryValues mitigations.\REGISTRY\MACHINE\SOFTWARE- Trusted system hive mentioned in the context of RtlQueryRegistryValues mitigations.\REGISTRY\MACHINE\SYSTEM- Trusted system hive mentioned in the context of RtlQueryRegistryValues mitigations.\REGISTRY\MACHINE\SECURITY- Trusted system hive mentioned in the context of RtlQueryRegistryValues mitigations.\REGISTRY\MACHINE\SAM- Trusted system hive mentioned in the context of RtlQueryRegistryValues mitigations.
- Command Lines:
- Purpose: Install the Claude c-review skill for code analysis | Tools:
claude| Stage: Defense |claude skills add-marketplace - Purpose: Search recursively for registry keys the current process has permission to set values within | Tools:
PowerShell,NtObjectManager| Stage: Discovery |Get-AccessibleKey \Registry\Machine -Recurse -Access SetValue - Purpose: Duplicate the current process token and apply a low integrity label for testing access controls | Tools:
PowerShell,NtObjectManager| Stage: Privilege Escalation |Get-NtToken -Primary -Duplicate -IntegrityLevel Low
- Purpose: Install the Claude c-review skill for code analysis | Tools: