iPrint Client: nipplpt.sys GetRegistryInfo Race Condition in Initialization
Platform: iPrint Client 5.99, tested on Windows 8.1 Update 32
Class: Elevation of Privilege

Summary:
The nipplpt.sys driver uses some registry configuration data to initialize it’s spool path. The registry values are read by calling ZwOpenKey without setting the OBJ_KERNEL_HANDLE flag which could allow a user process to race the open process and change the settings. 

Description:

When the nipplpt driver first creates a new device object (in the IRP_MJ_CREATE handler) it initializes the spool path and platform configuration from the registry. The key handles are opened without the OBJ_KERNEL_HANDLE flag, this means that a user process might be able to close the existing handle then open a dummy key over the original handle value leading to incorrect settings being read. 

In mitigation the settings are only ever read once so the attack would have to be done prior to any application opening a new device. Also the timing window would be very small in order to pull off the attack. 

Proof of Concept:

I’ve not provided a PoC here as it would be roughly the same as the PoC from the NULL DACL for files/directories. 

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.