[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <430C9737.30500@gmail.com>
Date: Wed Aug 24 16:49:50 2005
From: jftucker at gmail.com (James Tucker)
Subject: Miscrosoft Registry Editor 5.1/XP/2K long string
key vulnerability
Ever tried adding UNICODE chars in there? ;-)
Gilles DEMARTY wrote:
>Bug confirmed on windows XP SP2.
>
>The command line reg shows the key,
>------8<----------8<----------8<----------8<----------8<----
>C:\>reg query HKLM\Software\Empty
>
>HKEY_LOCAL_MACHINE\Software\Empty
> abc REG_SZ
> helloworldhelloworldhelloworldhell (trim...) orldhelloworldhelloworl REG_SZ
> abcdfzf REG_SZ
>
>------>8---------->8---------->8---------->8---------->8----
>The first one is visible in the GUI.
>the 2 last is invisible in the GUI.
>
>
>
>possible exploitation :
>a worm/virus can create this kind of key to hide its execution in
>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
>gloups.
>
>
>
>Regards
>
>
>
>2005/8/24, J?r?me ATHIAS <jerome.athias@...e.fr>:
>
>
>>Hi,
>>
>>it works on Windows 2000 SP4 FR and XP SP2 FR
>>
>>when exporting the key, the resulting .reg file is "empty"
>>
>>Regards
>>
>>/JA
>>
>>***************************************
>>http://www.athias.fr - Alertes de s?curit? en fran?ais
>>
>>
>>Igor Franchuk a ?crit :
>>
>>
>>
>>>Hello All,
>>>
>>>
>>>PRELUDE
>>>
>>>/* Registry Element Size Limits The following are the size limits
>>>for the various registry elements. The maximum size of a key name
>>>is 255 characters. The maximum size of a value name is as follows:
>>>Windows Server 2003 and Windows XP: 16,383 characters Windows
>>>2000: 260 ANSI characters or 16,383 Unicode characters. Windows
>>>Me/98/95: 255 characters Long values (more than 2,048 bytes) should
>>>be stored as files with the file names stored in the registry. This
>>>helps the registry perform efficiently. The maximum size of a value
>>>is as follows: Available memory. Windows Me/98/95: 16,300 bytes.
>>>There is a 64K limit for the total size of all values of a key. */
>>>
>>>
>>>DESCRIPTION
>>>
>>>Microsoft Registry Editor for 2K and XP (Regedt32.exe) has a nice
>>>design flow that is naturally allows to hide registry information
>>>from viewing and editing even from users with administrative
>>>access. (really handful, thanks guys)
>>>
>>>
>>>POC
>>>
>>>To reproduce the desired behavior:
>>>
>>>- run Regedt32.exe - create a key, let it just be
>>>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
>>>Settings\Empty - in this key create any string value with the name
>>>exceeding 256 symbols (260 is the max) or just copy-paste:
>>>
>>>helloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworl
>>>
>>>
>>>Press F5 (refresh) and you will see how the key magically
>>>disappears.
>>>
>>>Now create ANY key within
>>>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
>>>Settings\Empty and press refresh again - it will NOT BE SEEN by
>>>regedt32.
>>>
>>>
>>>
>>>PRACTICE There is a tremendous implementation field for this
>>>behavior.
>>>
>>>
>>>TESTED On XP SP2 Eng, SP1 and 2K RUS. The testing is by no means
>>>complete but I hope it is working on all 2K and XP systems. Sorry
>>>if it is not.
>>>
>>>SUGGESTED FIX Make it possible to mange visibility by specifying
>>>(_?_) (_$_) and (_._) in the key names.
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>>
>>
>>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
Powered by blists - more mailing lists