lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5E85FA599946416FBF7BFA452EA6285E@W340>
Date: Sun, 23 Nov 2014 16:41:56 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Defense in depth -- the Microsoft way (part 21):
	errors/inconsistencies in Windows registry data may lead to
	buffer overflows or use of random data

Hi @ll,

according to <https://msdn.microsoft.com/en-us/library/ms724884.aspx>
the value data for REG_SZ and REG_EXPAND_SZ must be

| A null-terminated string...

and the value data for REG_MULTI_SZ must be

| A sequence of null-terminated strings, terminated by an empty string (\0).


The registry hives delivered with ALL versions of Windows but contain
entries with improper/invalid value data which does not satisfy the
data type definitions given above.


ERRORS:

* all (about 1550) REG_SZ entries with value name "CatalogThumbprint" in
  the COMPONENTS hive of Windows Vista, 2008, 7, 8, 8.1 and 2012 are NOT
  NUL-terminated (the size of the value data is 64 resp. 128 bytes, but
  should be 66 resp. 130 bytes).

JFTR: a developer with a sane mind would but use REG_BINARY for hashes!
    
* all REG_SZ entries with value name "ConfigFilePath" (in subkeys of the
  key "Microsoft\Fusion\PublisherPolicy\Default") of the SOFTWARE hive
  of Windows 8, 8.1 and 2012 are NOT NUL-terminated.

* the REG_SZ entries in the unnamed default values of the following keys
  of the SOFTWARE hive of Windows 8, 8.1 and 2012 are NOT NUL-terminated:

  "Microsoft\MMC\SnapIns\{7478EF61-8C46-11d1-8D99-00A0C913CAD4}\NodeTypes\{7478EF63-8C46-11d1-8D99-00A0C913CAD4}"
  "Microsoft\MMC\SnapIns\{7478EF61-8C46-11d1-8D99-00A0C913CAD4}\NodeTypes\{7478EF66-8C46-11d1-8D99-00A0C913CAD4}"
  "Microsoft\MMC\SnapIns\{7478EF61-8C46-11d1-8D99-00A0C913CAD4}\NodeTypes\{7478EF67-8C46-11d1-8D99-00A0C913CAD4}"
  "Microsoft\MMC\SnapIns\{7478EF61-8C46-11d1-8D99-00A0C913CAD4}\NodeTypes\{7478EF68-8C46-11d1-8D99-00A0C913CAD4}"

* the REG_MULTI_SZ entry "Languages" in key
  "Control Panel\International\User Profile System Backup" of the DEFAULT
  and all NTUSER.DAT hives (except for the SYSTEM profile) of Windows 8,
  8.1 and 2012 contains 2 strings of 4 characters (which need 22 byte),
  but has a size of only 12 bytes.

* the REG_DWORD entries in the unnamed default values of the following
  keys of the SECURITY hive have a length of 0 bytes:

  "Policy\Secrets\0083343a-f925-4ed7-b1d6-d95d17a0b57b-RemoteDesktopHelpAssistantAccount"
  "Policy\Secrets\0083343a-f925-4ed7-b1d6-d95d17a0b57b-RemoteDesktopHelpAssistantSID"
  "Policy\Secrets\20ed87e2-3b82-4114-81f9-5e219ed4c481-SALEMHELPACCOUNT"

  "Policy\Secrets\DefaultPassword"
  "Policy\Secrets\DPAPI_SYSTEM"
  "Policy\Secrets\G${ED8F4747-E13D-47bc-856B-5CEFE1A81A7F}"
  "Policy\Secrets\L$HYDRAENCKEY_28ada6da-d622-11d1-9cb9-00c04fb16e75"
  "Policy\Secrets\L$RTMTIMEBOMB_1320153D-8DA3-4e8e-B27B-0D888223A588"
  "Policy\Secrets\L${6B3E6424-AF3E-4bff-ACB6-DA535F0DDC0A}"
  "Policy\Secrets\NL$KM"
  "Policy\Secrets\_SC_Alerter"
  "Policy\Secrets\_SC_ALG"
  "Policy\Secrets\_SC_Dnscache"
  "Policy\Secrets\_SC_LmHosts"
  "Policy\Secrets\_SC_MSDTC"
  "Policy\Secrets\_SC_RpcLocator"
  "Policy\Secrets\_SC_RPCSS"
  "Policy\Secrets\_SC_SSDPSRV"
  "Policy\Secrets\_SC_upnphost"
  "Policy\Secrets\_SC_WebClient"

* the REG_QWORD entries in the "ExecTime" values of the following keys
  of the SOFTWARE hive have a length of 16 bytes:

  "Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown\0\0"
  "Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup\0\0"
  "Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-1275210071-630328440-1644491937-1003\Scripts\Logoff\0\0"
  "Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-1275210071-630328440-1644491937-1003\Scripts\Logon\0\0"
  "Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-1275210071-630328440-1644491937-500\Scripts\Logoff\0\0"
  "Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-1275210071-630328440-1644491937-500\Scripts\Logon\0\0"
  "Policies\Microsoft\Windows\System\Scripts\Shutdown\0\0"
  "Policies\Microsoft\Windows\System\Scripts\Startup\0\0"

* (some more...)

The erroneous, not NUL-terminated REG_[*_]SZ values can lead to buffer
overflows.
The zero sized REG-DWORD values can lead to use of random data.
The erroneous, 16 byte long REG_QWORD values can lead to buffer
overflows.

JFTR: why does Microsofts SDL and their QA miss such silly, automatically
      detectable errors?


ISSUES:

* the REG_SZ entries in the subkeys of the key
  "Software\Classes\Local Settings\MuiCache" in the DEFAULT and every
  users NTUSER.DAT hive have a size which is 1 character (2 bytes)
  greater than the actual string length.

* the REG_SZ entries in the unnamed default values of the following
  keys of the SOFTWARE hive have a size twice their actual string length:

  "Classes\SystemFileAssociations\.doc\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}"
  "Classes\SystemFileAssociations\.dot\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}"
  "Classes\SystemFileAssociations\.fpx\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}"
  "Classes\SystemFileAssociations\.mic\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}"
  "Classes\SystemFileAssociations\.mix\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}"
  "Classes\SystemFileAssociations\.mpp\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}"
  "Classes\SystemFileAssociations\.obd\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}"
  "Classes\SystemFileAssociations\.obt\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}"
  "Classes\SystemFileAssociations\.pot\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}"
  "Classes\SystemFileAssociations\.ppt\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}"
  "Classes\SystemFileAssociations\.xls\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}"
  "Classes\SystemFileAssociations\.xlt\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}"

* the REG_SZ entries with value names "SetId", "Recent" and "Internal"
  in the subkeys of the key "ControlSet001\Control\GraphicsDrivers"
  of the SYSTEM hive have a size which is 1 character (2 bytes)
  greater than the actual string length.

* the REG_SZ entries with value names "Previous Names", "ColorProfiles"
  and "App Registration" in the subkeys of the key
  "ControlSet001\Control\Print\Environments\Windows NT x86\Drivers" of 
  the SYSTEM hive have a size which is 1 character (2 bytes) greater
  than the actual string length.

* the REG_SZ entry "SpecialPollTimeRemaining" in key
  "ControlSet001\Services\W32Time\TimeProviders\NtpClient" of the
  SYSTEM hive has a size which is larger than the actual string length.

* (many more...)


A complete log of errors and inconsistencies found in the registry
hives (of the evaluation version) of Windows 8.1 (codename "BLUE",
hence the filename) is available from
<http://home.arcor.de/skanthak/download/BLUE.LOG>

This log was generated by a Win32 program that uses OFFREG.DLL (cf.
<https://msdn.microsoft.com/en-us/library/ee210757.aspx>, included
in Windows 8.1) to dump offline registry hives and to detect errors
and inconsistencies in key names, value names and value data.


regards
Stefan Kanthak

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ