Discovery of a Heap Overflow Vulnerability

Google Project Zero researcher James Forshaw discovered a significant vulnerability within the Windows Configuration Manager, the kernel component responsible for managing the Windows Registry. This security flaw, identified as CVE-2024-21345, was found using a custom fuzzer built upon TinyInst. The root cause of the vulnerability was a heap buffer overflow that occurred during the parsing of a registry hive file. Specifically, the bug existed within the CmpCopySyncTree function, which incorrectly calculated the buffer size required for a new key name during a hive synchronization operation. This miscalculation led to an overflow when the system attempted to copy the key name into an undersized buffer allocated in the kernel pool.

The Path to Practical Exploitation

The exploitation of CVE-2024-21345 demonstrated a clear path from a memory corruption bug to full system privilege escalation. The initial heap overflow provided the researcher with an arbitrary write primitive. To leverage this, a technique known as kernel pool grooming was employed using Windows Notification Facility (WNF) State Name objects to control the memory layout adjacent to the vulnerable buffer. By overflowing into a neighboring WNF object, specifically the _WNF_NAME_INSTANCE structure, it was possible to corrupt its security descriptor pointer. This allowed the attacker to replace the object’s original security descriptor with a custom one, granting them WRITE_DAC permissions. With these elevated permissions, the attacker could modify the WNF object’s data, which could then be read by a high-privilege process, such as svchost.exe running as NT AUTHORITY\SYSTEM. This chain of actions successfully resulted in privilege escalation from a sandboxed process to the SYSTEM level. Microsoft subsequently patched this vulnerability.

Source: https://googleprojectzero.blogspot.com/2025/05/the-windows-registry-adventure-8-exploitation.html