C/C++ checklist challenges, solved

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://blog.trailofbits.com/2026/05/05/c/c-checklist-challenges-solved/
• Blog Title: C/C++ checklist challenges, solved
• Suggested Section: Windows Local Privilege Escalation / driver bugs (RtlQueryRegistryValues direct-mode type confusion), and Pentesting Web or Command Injection notes for parser-prefix validation issues such as inet_aton trailing garbage and inet_ntoa static-buffer pitfalls

🎯 Content Summary

Trail of Bits solves two C/C++ security-review challenges and shows how subtle API behavior turns apparently defensive code into exploitable bugs.

Useful tool mentioned: the post introduces Trail of Bits' c-review Claude skill, which converts their C/C++ security checklist into bug-finding prompts and is aware of platform and threat model. Installation commands:

claude skills add-marketplace https://github.com/trailofbits/skills

claude skills en...

🔧 Technical Details
An apparent input-validation chain can be bypassed when a parser validates only a prefix of attacker input but the original string later reaches a dangerous sink. In the Linux example, inet_aton accepts a valid IPv4 literal followed by trailing garbage, so an attacker can submit an input that begins with a dotted-quad but continues with shell metacharacters. If the application then builds a shell command with the original string, such as system("ping '%s'"), the suffix survives validation and becomes a command-injection payload. This pattern generalizes to any codebase where a format parser is incorrectly assumed to reject suffix data.
Any security decision that stores pointers returned by APIs backed by static/global buffers is fragile. The Linux challenge shows that inet_ntoa returns a pointer to shared storage, so a second call overwrites the first result. If code saves both pointers and later compares them, both may reference the fina...
🤖 Agent Actions
I’m mapping the repo and the likely target pages first, then I’ll read the surrounding HackTricks content to avoid duplicating existing coverage and choose one file that can hold the new technique cleanly.

I have the section map. Next I’m narrowing to existing pages that already discuss parser-based command injection, Windows driver LPE, registry abuse, or arbitrary kernel writes so the update lands in the right place.

I’ve read the obvious command-injection and Windows registry pages. The gap is now clearer: the Linux half overlaps existing command-injection material, while the Windows half looks much more novel, so I’m checking whether HackTricks already has a better binary-exploitation page for driver-side type-confusion-to-write primitives before I edit anything.

The repo fit is set: the best single-file target is the Windows LPE README’s Drivers section. I’m doing one more pass against vendor docs so the added exploitation notes on trusted hives and direct-mode behavior are technically precise before I patch the page.

I’ve narrowed the addition to one Windows LPE subsection in the Drivers area. The edit will capture the missing technique only: attacker-controlled RtlQueryRegistryValues direct-mode reads without RTL_QUERY_REGISTRY_TYPECHECK, the trusted-hive bypass angle, and the REG_QWORD / REG_SZ / REG_BINARY exploitation patterns.

The patch is in. I’m re-reading the edited section and the final references block now to catch formatting drift, redundancy, or a misplaced insertion before I close it out.

The new subsection reads cleanly. I’m doing a final repo sanity pass with git diff --check and status so I can confirm there are no whitespace or accidental side effects before marking the task complete.

Updated README.md in the Windows local privilege escalation Drivers section. I added a new subsection covering attacker-controlled RtlQueryRegistryValues absolute paths, missing RTL_QUERY_REGISTRY_TYPECHECK, the Windows 8+ untrusted-hive 0x139 behavior, trusted-hive staging with NtObjectManager, and the REG_QWORD / REG_SZ / REG_BINARY exploitation patterns.
I kept the change to a single file and did not add the Linux inet_aton / inet_ntoa material because that side overlaps existing command-injection and URL/parser bypass coverage more heavily, while the Windows driver technique was not already documented. I also updated the file’s ## References with the Trail of Bits post, Microsoft’s RtlQueryRegistryValues docs, and NtObjectManager. Verification: git diff --check passed, and only this file is modified.

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://blog.trailofbits.com/2026/05/05/c/c-checklist-challenges-solved/

Content Categories: Based on the analysis, this content was categorized under "Windows Local Privilege Escalation / driver bugs (RtlQueryRegistryValues direct-mode type confusion), and Pentesting Web or Command Injection notes for parser-prefix validation issues such as inet_aton trailing garbage and inet_ntoa static-buffer pitfalls".

Repository Maintenance:

• MD Files Formatting: 973 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0