cbcvebase.
CVE-2010-4398
published 2010-12-06

CVE-2010-4398: Stack-based buffer overflow in the RtlQueryRegistryValues function in win32k.sys in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista…

PriorityP180high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-21
Exploited in the wild
EPSS
8.66%
94.4th percentile
Stack-based buffer overflow in the RtlQueryRegistryValues function in win32k.sys in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows local users to gain privileges, and bypass the User Account Control (UAC) feature, via a crafted REG_BINARY value for a SystemDefaultEUDCFont registry key, aka "Driver Improper Interaction with Windows Kernel Vulnerability."

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008

Detection & IOCsextracted from sources · hover to see the quote

path0xfffff78000000800
otherNOP sled at offset 0x92D675 in SYSTEM hive
  • Monitor for REG_SZ or REG_BINARY type values written to registry keys under HKLM\SYSTEM\ControlSet001\Control\GraphicsDrivers and its MemoryManager subkey where REG_DWORD values are expected — type mismatch is the exploit trigger.
  • Scan SYSTEM registry hive for embedded shellcode or NOP sleds — exploitation stores kernel shellcode directly in registry values under the GraphicsDrivers paths.
  • Alert on kernel memory writes targeting the KUSER_SHARED_DATA+0x800 region (0xfffff78000000800) — this fixed address is used as the shellcode staging location in stage 1 of exploitation via dxgmms1.sys.
  • FIN6 (G0037) has been observed exploiting CVE-2010-4398 for local privilege escalation to kernel-level privileges — correlate with FIN6 TTPs such as PoS targeting, Cobalt Strike, and lateral movement via RDP.
  • ·The patch for CVE-2010-4398 is incomplete — Microsoft only applied the RTL_QUERY_REGISTRY_TYPECHECK flag to registry/code paths reachable without admin rights. Paths accessible with admin privileges remain vulnerable on fully patched Windows 7/Server 2008 R2, enabling kernel shellcode persistence at boot.
  • ·Microsoft declined to patch the admin-accessible vulnerable paths when notified of in-the-wild exploitation in 2018, citing the requirement for administrator privileges as a precondition.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.