A Design Flaw in Windows Kernel API Leads to Security Breakdown
I would like to present an exploit of an ambiguous parameter in Windows kernel API that leads to buffer overflows under nearly every version of Microsoft Windows, especially one that can be used as a backdoor to Windows user privilege system as well as User Access Control.
The starring API would be
RtlQueryRegistryValues, it meant to be used to query multiple registry values by a query table, given the
EntryContextfield as output buffer. There is a problem that this field can be either treated as a
UNICODE_STRINGstructure or a
ULONGbuffer length followed by the actual buffer, and this is determined by the type of the registry key being queried.
Full mirror of the removed article thanx to Offensive Computing: http://188.8.131.52/kmax/security-uac.aspx.htm