CVE-2023-23420
NT Kernel (Registry) -- use-after-free in transacted key rename
Summary
| Field | Value |
|---|---|
| Driver | ntoskrnl.exe |
| Vulnerability Class | Use-After-Free |
| Exploited ITW | No |
| CVSS | 7.8 |
Root Cause
Another finding from j00ru's Project Zero registry audit. The bug is in the kernel's handling of transacted registry key renames. When a key rename operation is performed inside a transaction, the kernel frees and reallocates key node cells in the hive. A specific sequence of transacted renames can leave a dangling pointer to a freed key node cell, which is subsequently accessed when the transaction commits or rolls back.
The vulnerability is reachable through standard registry APIs (RegRenameKey inside a transaction) without elevated privileges.
Exploitation
The use-after-free on the key node cell can be reclaimed with attacker-controlled data by allocating registry values of matching size. Once the freed cell is reclaimed, operations on the stale key node reference read attacker-controlled fields, providing a kernel read/write primitive.
j00ru presented a working exploit at OffensiveCon 2024 and BlueHat 2023, demonstrating EoP to SYSTEM through the UAF.
Patch Analysis
Microsoft removed transacted key rename support entirely rather than attempting a targeted fix. The rename operation inside a registry transaction now returns an error, eliminating the vulnerable code path.