lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed Aug 24 16:27:19 2005
From: gilles.demarty at gmail.com (Gilles DEMARTY)
Subject: Miscrosoft Registry Editor 5.1/XP/2K long
	string key vulnerability

Bug confirmed on windows XP SP2.

The command line reg shows the key,
------8<----------8<----------8<----------8<----------8<----
C:\>reg query HKLM\Software\Empty

HKEY_LOCAL_MACHINE\Software\Empty
    abc REG_SZ
    helloworldhelloworldhelloworldhell (trim...) orldhelloworldhelloworl REG_SZ
    abcdfzf     REG_SZ

------>8---------->8---------->8---------->8---------->8----
The first one is visible in the GUI.
the 2 last is invisible in the GUI.



possible exploitation : 
a worm/virus can create this kind of key to hide its execution in
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
gloups.



Regards



2005/8/24, J?r?me ATHIAS <jerome.athias@...e.fr>:
> Hi,
> 
> it works on Windows 2000 SP4 FR and XP SP2 FR
> 
> when exporting the key, the resulting .reg file is "empty"
> 
> Regards
> 
> /JA
> 
> ***************************************
> http://www.athias.fr - Alertes de s?curit? en fran?ais
> 
> 
> Igor Franchuk a ?crit :
> 
> > Hello All,
> >
> >
> > PRELUDE
> >
> > /* Registry Element Size Limits The following are the size limits
> > for the various registry elements. The maximum size of a key name
> > is 255 characters. The maximum size of a value name is as follows:
> > Windows Server 2003 and Windows XP: 16,383 characters Windows
> > 2000: 260 ANSI characters or 16,383 Unicode characters. Windows
> > Me/98/95: 255 characters Long values (more than 2,048 bytes) should
> > be stored as files with the file names stored in the registry. This
> > helps the registry perform efficiently. The maximum size of a value
> > is as follows: Available memory. Windows Me/98/95: 16,300 bytes.
> > There is a 64K limit for the total size of all values of a key. */
> >
> >
> > DESCRIPTION
> >
> > Microsoft Registry Editor for 2K and XP (Regedt32.exe) has a nice
> > design flow that is naturally allows to hide registry information
> > from viewing and editing even from users with administrative
> > access. (really handful, thanks guys)
> >
> >
> > POC
> >
> > To reproduce the desired behavior:
> >
> > - run Regedt32.exe - create a key, let it just be
> > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
> > Settings\Empty - in this key create any string value with the name
> > exceeding 256 symbols (260 is the max) or just copy-paste:
> >
> > helloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworl
> >
> >
> > Press F5 (refresh) and you will see how the key magically
> > disappears.
> >
> > Now create ANY key within
> > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
> > Settings\Empty and press refresh again - it will NOT BE SEEN by
> > regedt32.
> >
> >
> >
> > PRACTICE There is a tremendous implementation field for this
> > behavior.
> >
> >
> > TESTED On XP SP2 Eng, SP1 and 2K RUS. The testing is by no means
> > complete but I hope it is working on all 2K and XP systems. Sorry
> > if it is not.
> >
> > SUGGESTED FIX Make it possible to mange visibility by specifying
> > (_?_) (_$_) and (_._) in the key names.
> >
> >
> >
> >
> 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> 
>

Powered by blists - more mailing lists