Read more: raw.githubusercontent.com
A design flaw in older Windows operating systems, specifically Windows NT 4.0 through Windows 7, allows kernel shellcode to persist and be launched during system boot by writing specially crafted data to the system registry. This vulnerability is due to the incomplete fix for a vulnerability in the RtlQueryRegistryValues function. The function can be used to query multiple registry values with a single call, but the way it handles values of unexpected types can lead to a buffer overflow, which can be exploited to execute malicious code. The vulnerability was exploited in a targeted attack in 2018, and researchers at Kaspersky GReAT discovered that it was only partially fixed by Microsoft, making it possible for attackers with administrator privileges to stealthily store and execute kernel shellcode. The vulnerability was exposed in a challenge at the SAS CTF, an international cybersecurity competition organized by Kaspersky GReAT.