Windows: NtLoadKeyEx Read Only Hive Arbitrary File Write EoP

vendor:

Windows

by:

Unknown

7.5

CVSS

HIGH

Elevation of Privilege

Unknown

CWE

Product Name: Windows

Affected Version From: Windows 10 10586

Affected Version To: Windows 10 10586, 8.1 Update 2, Windows 7

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows

Unknown

Windows: NtLoadKeyEx Read Only Hive Arbitrary File Write EoP

NtLoadKeyEx takes a flag to open a registry hive read only, if one of the hive files cannot be opened for read access it will revert to write mode and also impersonate the calling process. This can leading to EoP if a user controlled hive is opened in a system service.

Mitigation:

Unknown

Source

Windows: NtLoadKeyEx Read Only Hive Arbitrary File Write EoP

Mitigation:

Exploit-DB raw data: