CVE-2010-4398
published 2010-12-06CVE-2010-4398: Stack-based buffer overflow in the RtlQueryRegistryValues function in win32k.sys in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista…
PriorityP180high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-21
Exploited in the wild
EPSS
8.66%
94.4th percentile
Stack-based buffer overflow in the RtlQueryRegistryValues function in win32k.sys in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows local users to gain privileges, and bypass the User Account Control (UAC) feature, via a crafted REG_BINARY value for a SystemDefaultEUDCFont registry key, aka "Driver Improper Interaction with Windows Kernel Vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for REG_SZ or REG_BINARY type values written to registry keys under HKLM\SYSTEM\ControlSet001\Control\GraphicsDrivers and its MemoryManager subkey where REG_DWORD values are expected — type mismatch is the exploit trigger. ↗
- →Scan SYSTEM registry hive for embedded shellcode or NOP sleds — exploitation stores kernel shellcode directly in registry values under the GraphicsDrivers paths. ↗
- →Alert on kernel memory writes targeting the KUSER_SHARED_DATA+0x800 region (0xfffff78000000800) — this fixed address is used as the shellcode staging location in stage 1 of exploitation via dxgmms1.sys. ↗
- →FIN6 (G0037) has been observed exploiting CVE-2010-4398 for local privilege escalation to kernel-level privileges — correlate with FIN6 TTPs such as PoS targeting, Cobalt Strike, and lateral movement via RDP.
- ·The patch for CVE-2010-4398 is incomplete — Microsoft only applied the RTL_QUERY_REGISTRY_TYPECHECK flag to registry/code paths reachable without admin rights. Paths accessible with admin privileges remain vulnerable on fully patched Windows 7/Server 2008 R2, enabling kernel shellcode persistence at boot. ↗
- ·Microsoft declined to patch the admin-accessible vulnerable paths when notified of in-the-wild exploitation in 2018, citing the requirement for administrator privileges as a precondition. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Windows Kernel Stack-Based Buffer Overflow Vulnerability
cisa·2022-03-28·CVSS 7.8
CVE-2010-4398 [HIGH] CWE-119 Microsoft Windows Kernel Stack-Based Buffer Overflow Vulnerability
Vulnerability: Microsoft Windows Kernel Stack-Based Buffer Overflow Vulnerability
Affected: Microsoft Windows
Stack-based buffer overflow in the RtlQueryRegistryValues function in win32k.sys in Microsoft Windows allows local users to gain privileges, and bypass the User Account Control (UAC) feature.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2010-4398
Remediation Due Date: 2022-04-21
GHSA
GHSA-v6fx-3qcr-2mfg: Stack-based buffer overflow in the RtlQueryRegistryValues function in win32k
ghsa_unreviewed·2022-05-14
CVE-2010-4398 [HIGH] CWE-119 GHSA-v6fx-3qcr-2mfg: Stack-based buffer overflow in the RtlQueryRegistryValues function in win32k
Stack-based buffer overflow in the RtlQueryRegistryValues function in win32k.sys in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows local users to gain privileges, and bypass the User Account Control (UAC) feature, via a crafted REG_BINARY value for a SystemDefaultEUDCFont registry key, aka "Driver Improper Interaction with Windows Kernel Vulnerability."
VulnCheck
Microsoft Windows Kernel Stack-Based Buffer Overflow Vulnerability
vulncheck·2010·CVSS 7.8
CVE-2010-4398 [HIGH] CWE-119 Microsoft Windows Kernel Stack-Based Buffer Overflow Vulnerability
Microsoft Windows Kernel Stack-Based Buffer Overflow Vulnerability
Stack-based buffer overflow in the RtlQueryRegistryValues function in win32k.sys in Microsoft Windows allows local users to gain privileges, and bypass the User Account Control (UAC) feature.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf; https://www.recordedfuture.com/russian-apt-toolkits; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://securelist.com/sas-ctf-windows-7-challenge-explained/114180/
Remediation Due: 2022-04-21
No detection rules found.
Securelist
SAS CTF and the many ways to persist a kernel shellcode on Windows 7
blogs_securelist·2024-10-17·CVSS 7.8
[HIGH] SAS CTF and the many ways to persist a kernel shellcode on Windows 7
Table of Contents
Vulnerability details
Exploitation
The SAS CTF challenge
The beginning
Identifying the VM and the OS
Set up the debugger
Crash!
Analyzing the crash
The shellcode
Booting with the shellcode
Decrypting the second stage
The second stage
Usermode payload
The SAS CTF final competition
Authors
Igor Kuznetsov
Boris Larin
On May 18, 2024, Kaspersky’s Global Research & Analysis Team (GReAT), with the help of its partners, held the qualifying stage of the SAS CTF, an international competition of cybersecurity experts held as part of the Security Analyst Summit conference . More than 800 teams from all over the world took part in the event, solving challenges based on real cases that Kaspersky GReAT encountered in its work, but a couple of challenges remained unsol
Securelist
Kernel shellcode persistence technique in APT attacks and SAS CTF challenge
blogs_securelist·2024-10-17·CVSS 7.8
[HIGH] Kernel shellcode persistence technique in APT attacks and SAS CTF challenge
Table of Contents
- Vulnerability details
- Exploitation
- The SAS CTF challenge
- The SAS CTF final competition
Authors
- Igor Kuznetsov
- Boris Larin
On May 18, 2024, Kaspersky’s Global Research & Analysis Team (GReAT), with the help of its partners, held the qualifying stage of the SAS CTF, an international competition of cybersecurity experts held as part of the Security Analyst Summit conference. More than 800 teams from all over the world took part in the event, solving challenges based on real cases that Kaspersky GReAT encountered in its work, but a couple of challenges remained unsolved. One of those challenges was based on a security issue that allows kernel shellcode to be hidden in the system registry and executed during system boot on a fully updated Windows 7/Windows Ser
Threat Intel
FIN6 (FIN6, Magecart Group 6, ITG08)
threat_intel
FIN6 (FIN6, Magecart Group 6, ITG08)
# Threat Actor Profile: FIN6
ATT&CK ID: G0037
Also known as: FIN6, Magecart Group 6, ITG08, Skeleton Spider, TAAL, Camouflage Tempest
## Overview
FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)
## Techniques (TTPs)
### Resource Development
- T1588.002 Tool
Usage: FIN6 has obtained and used tools such as Mimikatz, Cobalt Strike, and AdFind.(Citation: Security Intelligence More Eggs Aug 2019)(Citation: FireEye FIN6 Apr 2019)
### Initial Access
- T1566.001 Spearphishing Attachment
Usage: FIN6 has targeted victims with e-mails containing ma
http://isc.sans.edu/diary.html?storyid=9988http://nakedsecurity.sophos.com/2010/11/25/new-windows-zero-day-flaw-bypasses-uac/http://secunia.com/advisories/42356http://support.avaya.com/css/P8/documents/100127248http://twitter.com/msftsecresponse/statuses/7590788200402945http://www.exploit-db.com/bypassing-uac-with-user-privilege-under-windows-vista7-mirror/http://www.exploit-db.com/exploits/15609/http://www.kb.cert.org/vuls/id/529673http://www.securityfocus.com/bid/45045http://www.securitytracker.com/id?1025046http://www.vupen.com/english/advisories/2011/0324https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-011https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12162http://isc.sans.edu/diary.html?storyid=9988http://nakedsecurity.sophos.com/2010/11/25/new-windows-zero-day-flaw-bypasses-uac/http://secunia.com/advisories/42356http://support.avaya.com/css/P8/documents/100127248http://twitter.com/msftsecresponse/statuses/7590788200402945http://www.exploit-db.com/bypassing-uac-with-user-privilege-under-windows-vista7-mirror/http://www.exploit-db.com/exploits/15609/http://www.kb.cert.org/vuls/id/529673http://www.securityfocus.com/bid/45045http://www.securitytracker.com/id?1025046http://www.vupen.com/english/advisories/2011/0324https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-011https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12162https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2010-4398
2010-12-06
Published
2022-03-28
Added to CISA KEV
Exploited in the wild