lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed Aug 24 16:27:19 2005 From: gilles.demarty at gmail.com (Gilles DEMARTY) Subject: Miscrosoft Registry Editor 5.1/XP/2K long string key vulnerability Bug confirmed on windows XP SP2. The command line reg shows the key, ------8<----------8<----------8<----------8<----------8<---- C:\>reg query HKLM\Software\Empty HKEY_LOCAL_MACHINE\Software\Empty abc REG_SZ helloworldhelloworldhelloworldhell (trim...) orldhelloworldhelloworl REG_SZ abcdfzf REG_SZ ------>8---------->8---------->8---------->8---------->8---- The first one is visible in the GUI. the 2 last is invisible in the GUI. possible exploitation : a worm/virus can create this kind of key to hide its execution in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. gloups. Regards 2005/8/24, J?r?me ATHIAS <jerome.athias@...e.fr>: > Hi, > > it works on Windows 2000 SP4 FR and XP SP2 FR > > when exporting the key, the resulting .reg file is "empty" > > Regards > > /JA > > *************************************** > http://www.athias.fr - Alertes de s?curit? en fran?ais > > > Igor Franchuk a ?crit : > > > Hello All, > > > > > > PRELUDE > > > > /* Registry Element Size Limits The following are the size limits > > for the various registry elements. The maximum size of a key name > > is 255 characters. The maximum size of a value name is as follows: > > Windows Server 2003 and Windows XP: 16,383 characters Windows > > 2000: 260 ANSI characters or 16,383 Unicode characters. Windows > > Me/98/95: 255 characters Long values (more than 2,048 bytes) should > > be stored as files with the file names stored in the registry. This > > helps the registry perform efficiently. The maximum size of a value > > is as follows: Available memory. Windows Me/98/95: 16,300 bytes. > > There is a 64K limit for the total size of all values of a key. */ > > > > > > DESCRIPTION > > > > Microsoft Registry Editor for 2K and XP (Regedt32.exe) has a nice > > design flow that is naturally allows to hide registry information > > from viewing and editing even from users with administrative > > access. (really handful, thanks guys) > > > > > > POC > > > > To reproduce the desired behavior: > > > > - run Regedt32.exe - create a key, let it just be > > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet > > Settings\Empty - in this key create any string value with the name > > exceeding 256 symbols (260 is the max) or just copy-paste: > > > > helloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworl > > > > > > Press F5 (refresh) and you will see how the key magically > > disappears. > > > > Now create ANY key within > > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet > > Settings\Empty and press refresh again - it will NOT BE SEEN by > > regedt32. > > > > > > > > PRACTICE There is a tremendous implementation field for this > > behavior. > > > > > > TESTED On XP SP2 Eng, SP1 and 2K RUS. The testing is by no means > > complete but I hope it is working on all 2K and XP systems. Sorry > > if it is not. > > > > SUGGESTED FIX Make it possible to mange visibility by specifying > > (_?_) (_$_) and (_._) in the key names. > > > > > > > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > >
Powered by blists - more mailing lists