{"id":102745,"date":"2019-08-01T07:00:00","date_gmt":"2019-08-01T14:00:00","guid":{"rendered":"http:\/\/devblogs.microsoft.com\/oldnewthing\/?p=102745"},"modified":"2019-08-01T06:55:59","modified_gmt":"2019-08-01T13:55:59","slug":"20190801-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20190801-00\/?p=102745","title":{"rendered":"Not actually crossing the airtight hatchway: Applying per-user overrides"},"content":{"rendered":"<p>We receive a number of security vulnerability reports of the form &#8220;If I write the following value into the registry at <code>HKEY_<\/code><code>CURRENT_<\/code><code>USER\\...<\/code>, then the next time the user does X, I can do bad thing Y.&#8221;<\/p>\n<p>The most common version of this is where the registry key is <code>HKEY_<\/code><code>CURRENT_<\/code><code>USER\\<\/code><code>Software\\<\/code><code>Classes\\<\/code><code>CLSID\\<\/code><code>...<\/code>, because that permits you to override a system COM object with a custom COM object.<\/p>\n<p>The fallacy here is hiding behind the change of pronoun in the attack description: If <b style=\"border: solid 1px black; padding: 0px 2px;\">I<\/b> write the following value into the registry, then the next time <b style=\"border: solid 1px black; padding: 0px 2px;\">the user<\/b> does X, <b style=\"border: solid 1px black; padding: 0px 2px;\">I<\/b> can do bad thing Y.<\/p>\n<p>In reality, <b style=\"border: solid 1px black; padding: 0px 2px;\">I<\/b> and <b style=\"border: solid 1px black; padding: 0px 2px;\">the user<\/b> are the same person!<\/p>\n<p>In order to write to the user&#8217;s registry, you need to be that user or an administrator. Of course, if you are an administrator, then you&#8217;re already on the other side of the airtight hatchway, and this entire exercise is pointless.<\/p>\n<p>That leaves the case where the attacker is the user. In other words, the attacker is attacking himself. This is not particularly interesting. It is not a security vulnerability that users can make their own lives miserable. They could start by, say, deleting all their files, then move on to sending profanity-laden email messages to their boss.<\/p>\n<p>As I noted, COM class registrations are a commonly-reported vector for this attack, sometimes even touted as a way to obtain elevation. But that doesn&#8217;t work because COM is careful not to use registrations from <code>HKEY_<\/code><code>CURRENT_<\/code><code>USER<\/code> when running elevated. Only <code>HKEY_<\/code><code>LOCAL_<\/code><code>MACHINE<\/code> registrations are consulted when elevated, and attacking those registry key require that you already be elevated, so you haven&#8217;t gained anything.<\/p>\n<p>Another place people report this type of false vulnerability is when they see that the <code>HKEY_<\/code><code>CURRENT_<\/code><code>USER<\/code> registry keys are affecting the behavior of <code>svchost.exe<\/code> processes. But you need to look more closely at <i>which<\/i> <code>svchost.exe<\/code> processes are affected. Windows supports services that run under the context of the logged-on user, rather than as a privileged account. These reports breathlessly report that they found a way to inject code into <code>svchost.exe<\/code> via <code>HKEY_<\/code><code>CURRENT_<\/code><code>USER<\/code> attacks, but they failed to observe that the <code>svchost.exe<\/code> they attacked is running as the logged-on user. Again, all they did was attack their own process; there is no elevation of privilege.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The user is merely attacking himself.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[26],"class_list":["post-102745","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-other"],"acf":[],"blog_post_summary":"<p>The user is merely attacking himself.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/102745","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=102745"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/102745\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=102745"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=102745"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=102745"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}