Security researchers published the technical details and a proof-of-concept (PoC) exploit code for CVE-2024-43452 (CVSS 7.5), a Windows Registry Elevation of Privilege vulnerability. Reported by Mateusz Jurczyk of Google Project Zero, this flaw exploits a design oversight in Windows registry hive memory management, potentially allowing attackers to gain SYSTEM-level access on vulnerable machines.
The analysis of CVE-2024-43452 underscores the dangers of false file immutability in operating systems. Jurczyk attributes inspiration for this research to Gabriel Landau’s work on this vulnerability class.
The flaw stems from a process called double-fetch during the loading of registry hives. According to the analysis, “under memory pressure, it is possible that the same page(s) of memory will be fetched, evicted, and read again from the underlying medium… This is a security issue because…if a malicious SMB server responds with different data on both requests, then it can indeed change, breaking the kernel’s assumptions.”
Jurczyk’s proof-of-concept demonstrated how this flaw could be exploited:
- The attacker hosts a malicious hive file on a remote SMB server.
- The target system loads the hive, triggering memory fetches and evictions under specific memory constraints.
- A malicious server responds with manipulated data, corrupting the registry hive structure and causing memory corruption.
By controlling key parameters such as FileOffset and Size, the attacker can exploit this flaw to gain SYSTEM privileges through a powerful memory corruption primitive.
The proof-of-concept (PoC) for CVE-2024-43452 involved a Linux-based SMB server running Python scripts to manipulate the hive file. Jurczyk details that the proof-of-concept worked on Windows 11 23H2 with the July 2024 patches installed. “The vulnerability is highly dependant on the system memory consumption/layout, so if it doesn’t reproduce on the first try, it is recommended to try again, check the extent of memory usage (e.g. in Task Manager), and potentially try to fine-tune the amount of physical memory assigned to the VM,” he noted.
Microsoft addressed this vulnerability in the November 2024 Patch Tuesday updates. Users are strongly encouraged to apply the patch immediately to mitigate risks. For organizations, proactive monitoring of SMB traffic and limiting access to registry-related operations can further reduce exposure.
Related Posts:
- CVE-2024-23945: Serious Vulnerability in Apache Hive and Spark Could Lead to Exploitation
- Hive Ransomware Leader Nabbed in Ukraine: Europol and Ukrainian Police Collaborate to Take Down Cybercriminal
