| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed Aug 24 15:14:36 2005 From: jerome.athias at free.fr (Jérôme ATHIAS) Subject: Miscrosoft Registry Editor 5.1/XP/2K long string key vulnerability Hi, it works on Windows 2000 SP4 FR and XP SP2 FR when exporting the key, the resulting .reg file is "empty" Regards /JA *************************************** http://www.athias.fr - Alertes de s?curit? en fran?ais Igor Franchuk a ?crit : > Hello All, > > > PRELUDE > > /* Registry Element Size Limits The following are the size limits > for the various registry elements. The maximum size of a key name > is 255 characters. The maximum size of a value name is as follows: > Windows Server 2003 and Windows XP: 16,383 characters Windows > 2000: 260 ANSI characters or 16,383 Unicode characters. Windows > Me/98/95: 255 characters Long values (more than 2,048 bytes) should > be stored as files with the file names stored in the registry. This > helps the registry perform efficiently. The maximum size of a value > is as follows: Available memory. Windows Me/98/95: 16,300 bytes. > There is a 64K limit for the total size of all values of a key. */ > > > DESCRIPTION > > Microsoft Registry Editor for 2K and XP (Regedt32.exe) has a nice > design flow that is naturally allows to hide registry information > from viewing and editing even from users with administrative > access. (really handful, thanks guys) > > > POC > > To reproduce the desired behavior: > > - run Regedt32.exe - create a key, let it just be > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet > Settings\Empty - in this key create any string value with the name > exceeding 256 symbols (260 is the max) or just copy-paste: > > helloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworl > > > Press F5 (refresh) and you will see how the key magically > disappears. > > Now create ANY key within > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet > Settings\Empty and press refresh again - it will NOT BE SEEN by > regedt32. > > > > PRACTICE There is a tremendous implementation field for this > behavior. > > > TESTED On XP SP2 Eng, SP1 and 2K RUS. The testing is by no means > complete but I hope it is working on all 2K and XP systems. Sorry > if it is not. > > SUGGESTED FIX Make it possible to mange visibility by specifying > (_?_) (_$_) and (_._) in the key names. > > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5213 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050824/7466bb0d/smime.bin
Powered by blists - more mailing lists