| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 23 Nov 2014 16:41:56 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Defense in depth -- the Microsoft way (part 21):
errors/inconsistencies in Windows registry data may lead to
buffer overflows or use of random data
Hi @ll,
according to <https://msdn.microsoft.com/en-us/library/ms724884.aspx>
the value data for REG_SZ and REG_EXPAND_SZ must be
| A null-terminated string...
and the value data for REG_MULTI_SZ must be
| A sequence of null-terminated strings, terminated by an empty string (\0).
The registry hives delivered with ALL versions of Windows but contain
entries with improper/invalid value data which does not satisfy the
data type definitions given above.
ERRORS:
* all (about 1550) REG_SZ entries with value name "CatalogThumbprint" in
the COMPONENTS hive of Windows Vista, 2008, 7, 8, 8.1 and 2012 are NOT
NUL-terminated (the size of the value data is 64 resp. 128 bytes, but
should be 66 resp. 130 bytes).
JFTR: a developer with a sane mind would but use REG_BINARY for hashes!
* all REG_SZ entries with value name "ConfigFilePath" (in subkeys of the
key "Microsoft\Fusion\PublisherPolicy\Default") of the SOFTWARE hive
of Windows 8, 8.1 and 2012 are NOT NUL-terminated.
* the REG_SZ entries in the unnamed default values of the following keys
of the SOFTWARE hive of Windows 8, 8.1 and 2012 are NOT NUL-terminated:
"Microsoft\MMC\SnapIns\{7478EF61-8C46-11d1-8D99-00A0C913CAD4}\NodeTypes\{7478EF63-8C46-11d1-8D99-00A0C913CAD4}"
"Microsoft\MMC\SnapIns\{7478EF61-8C46-11d1-8D99-00A0C913CAD4}\NodeTypes\{7478EF66-8C46-11d1-8D99-00A0C913CAD4}"
"Microsoft\MMC\SnapIns\{7478EF61-8C46-11d1-8D99-00A0C913CAD4}\NodeTypes\{7478EF67-8C46-11d1-8D99-00A0C913CAD4}"
"Microsoft\MMC\SnapIns\{7478EF61-8C46-11d1-8D99-00A0C913CAD4}\NodeTypes\{7478EF68-8C46-11d1-8D99-00A0C913CAD4}"
* the REG_MULTI_SZ entry "Languages" in key
"Control Panel\International\User Profile System Backup" of the DEFAULT
and all NTUSER.DAT hives (except for the SYSTEM profile) of Windows 8,
8.1 and 2012 contains 2 strings of 4 characters (which need 22 byte),
but has a size of only 12 bytes.
* the REG_DWORD entries in the unnamed default values of the following
keys of the SECURITY hive have a length of 0 bytes:
"Policy\Secrets\0083343a-f925-4ed7-b1d6-d95d17a0b57b-RemoteDesktopHelpAssistantAccount"
"Policy\Secrets\0083343a-f925-4ed7-b1d6-d95d17a0b57b-RemoteDesktopHelpAssistantSID"
"Policy\Secrets\20ed87e2-3b82-4114-81f9-5e219ed4c481-SALEMHELPACCOUNT"
"Policy\Secrets\DefaultPassword"
"Policy\Secrets\DPAPI_SYSTEM"
"Policy\Secrets\G${ED8F4747-E13D-47bc-856B-5CEFE1A81A7F}"
"Policy\Secrets\L$HYDRAENCKEY_28ada6da-d622-11d1-9cb9-00c04fb16e75"
"Policy\Secrets\L$RTMTIMEBOMB_1320153D-8DA3-4e8e-B27B-0D888223A588"
"Policy\Secrets\L${6B3E6424-AF3E-4bff-ACB6-DA535F0DDC0A}"
"Policy\Secrets\NL$KM"
"Policy\Secrets\_SC_Alerter"
"Policy\Secrets\_SC_ALG"
"Policy\Secrets\_SC_Dnscache"
"Policy\Secrets\_SC_LmHosts"
"Policy\Secrets\_SC_MSDTC"
"Policy\Secrets\_SC_RpcLocator"
"Policy\Secrets\_SC_RPCSS"
"Policy\Secrets\_SC_SSDPSRV"
"Policy\Secrets\_SC_upnphost"
"Policy\Secrets\_SC_WebClient"
* the REG_QWORD entries in the "ExecTime" values of the following keys
of the SOFTWARE hive have a length of 16 bytes:
"Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown\0\0"
"Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup\0\0"
"Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-1275210071-630328440-1644491937-1003\Scripts\Logoff\0\0"
"Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-1275210071-630328440-1644491937-1003\Scripts\Logon\0\0"
"Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-1275210071-630328440-1644491937-500\Scripts\Logoff\0\0"
"Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-1275210071-630328440-1644491937-500\Scripts\Logon\0\0"
"Policies\Microsoft\Windows\System\Scripts\Shutdown\0\0"
"Policies\Microsoft\Windows\System\Scripts\Startup\0\0"
* (some more...)
The erroneous, not NUL-terminated REG_[*_]SZ values can lead to buffer
overflows.
The zero sized REG-DWORD values can lead to use of random data.
The erroneous, 16 byte long REG_QWORD values can lead to buffer
overflows.
JFTR: why does Microsofts SDL and their QA miss such silly, automatically
detectable errors?
ISSUES:
* the REG_SZ entries in the subkeys of the key
"Software\Classes\Local Settings\MuiCache" in the DEFAULT and every
users NTUSER.DAT hive have a size which is 1 character (2 bytes)
greater than the actual string length.
* the REG_SZ entries in the unnamed default values of the following
keys of the SOFTWARE hive have a size twice their actual string length:
"Classes\SystemFileAssociations\.doc\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}"
"Classes\SystemFileAssociations\.dot\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}"
"Classes\SystemFileAssociations\.fpx\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}"
"Classes\SystemFileAssociations\.mic\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}"
"Classes\SystemFileAssociations\.mix\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}"
"Classes\SystemFileAssociations\.mpp\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}"
"Classes\SystemFileAssociations\.obd\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}"
"Classes\SystemFileAssociations\.obt\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}"
"Classes\SystemFileAssociations\.pot\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}"
"Classes\SystemFileAssociations\.ppt\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}"
"Classes\SystemFileAssociations\.xls\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}"
"Classes\SystemFileAssociations\.xlt\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}"
* the REG_SZ entries with value names "SetId", "Recent" and "Internal"
in the subkeys of the key "ControlSet001\Control\GraphicsDrivers"
of the SYSTEM hive have a size which is 1 character (2 bytes)
greater than the actual string length.
* the REG_SZ entries with value names "Previous Names", "ColorProfiles"
and "App Registration" in the subkeys of the key
"ControlSet001\Control\Print\Environments\Windows NT x86\Drivers" of
the SYSTEM hive have a size which is 1 character (2 bytes) greater
than the actual string length.
* the REG_SZ entry "SpecialPollTimeRemaining" in key
"ControlSet001\Services\W32Time\TimeProviders\NtpClient" of the
SYSTEM hive has a size which is larger than the actual string length.
* (many more...)
A complete log of errors and inconsistencies found in the registry
hives (of the evaluation version) of Windows 8.1 (codename "BLUE",
hence the filename) is available from
<http://home.arcor.de/skanthak/download/BLUE.LOG>
This log was generated by a Win32 program that uses OFFREG.DLL (cf.
<https://msdn.microsoft.com/en-us/library/ee210757.aspx>, included
in Windows 8.1) to dump offline registry hives and to detect errors
and inconsistencies in key names, value names and value data.
regards
Stefan Kanthak
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists