lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <5E85FA599946416FBF7BFA452EA6285E@W340> Date: Sun, 23 Nov 2014 16:41:56 +0100 From: "Stefan Kanthak" <stefan.kanthak@...go.de> To: <bugtraq@...urityfocus.com> Cc: fulldisclosure@...lists.org Subject: [FD] Defense in depth -- the Microsoft way (part 21): errors/inconsistencies in Windows registry data may lead to buffer overflows or use of random data Hi @ll, according to <https://msdn.microsoft.com/en-us/library/ms724884.aspx> the value data for REG_SZ and REG_EXPAND_SZ must be | A null-terminated string... and the value data for REG_MULTI_SZ must be | A sequence of null-terminated strings, terminated by an empty string (\0). The registry hives delivered with ALL versions of Windows but contain entries with improper/invalid value data which does not satisfy the data type definitions given above. ERRORS: * all (about 1550) REG_SZ entries with value name "CatalogThumbprint" in the COMPONENTS hive of Windows Vista, 2008, 7, 8, 8.1 and 2012 are NOT NUL-terminated (the size of the value data is 64 resp. 128 bytes, but should be 66 resp. 130 bytes). JFTR: a developer with a sane mind would but use REG_BINARY for hashes! * all REG_SZ entries with value name "ConfigFilePath" (in subkeys of the key "Microsoft\Fusion\PublisherPolicy\Default") of the SOFTWARE hive of Windows 8, 8.1 and 2012 are NOT NUL-terminated. * the REG_SZ entries in the unnamed default values of the following keys of the SOFTWARE hive of Windows 8, 8.1 and 2012 are NOT NUL-terminated: "Microsoft\MMC\SnapIns\{7478EF61-8C46-11d1-8D99-00A0C913CAD4}\NodeTypes\{7478EF63-8C46-11d1-8D99-00A0C913CAD4}" "Microsoft\MMC\SnapIns\{7478EF61-8C46-11d1-8D99-00A0C913CAD4}\NodeTypes\{7478EF66-8C46-11d1-8D99-00A0C913CAD4}" "Microsoft\MMC\SnapIns\{7478EF61-8C46-11d1-8D99-00A0C913CAD4}\NodeTypes\{7478EF67-8C46-11d1-8D99-00A0C913CAD4}" "Microsoft\MMC\SnapIns\{7478EF61-8C46-11d1-8D99-00A0C913CAD4}\NodeTypes\{7478EF68-8C46-11d1-8D99-00A0C913CAD4}" * the REG_MULTI_SZ entry "Languages" in key "Control Panel\International\User Profile System Backup" of the DEFAULT and all NTUSER.DAT hives (except for the SYSTEM profile) of Windows 8, 8.1 and 2012 contains 2 strings of 4 characters (which need 22 byte), but has a size of only 12 bytes. * the REG_DWORD entries in the unnamed default values of the following keys of the SECURITY hive have a length of 0 bytes: "Policy\Secrets\0083343a-f925-4ed7-b1d6-d95d17a0b57b-RemoteDesktopHelpAssistantAccount" "Policy\Secrets\0083343a-f925-4ed7-b1d6-d95d17a0b57b-RemoteDesktopHelpAssistantSID" "Policy\Secrets\20ed87e2-3b82-4114-81f9-5e219ed4c481-SALEMHELPACCOUNT" "Policy\Secrets\DefaultPassword" "Policy\Secrets\DPAPI_SYSTEM" "Policy\Secrets\G${ED8F4747-E13D-47bc-856B-5CEFE1A81A7F}" "Policy\Secrets\L$HYDRAENCKEY_28ada6da-d622-11d1-9cb9-00c04fb16e75" "Policy\Secrets\L$RTMTIMEBOMB_1320153D-8DA3-4e8e-B27B-0D888223A588" "Policy\Secrets\L${6B3E6424-AF3E-4bff-ACB6-DA535F0DDC0A}" "Policy\Secrets\NL$KM" "Policy\Secrets\_SC_Alerter" "Policy\Secrets\_SC_ALG" "Policy\Secrets\_SC_Dnscache" "Policy\Secrets\_SC_LmHosts" "Policy\Secrets\_SC_MSDTC" "Policy\Secrets\_SC_RpcLocator" "Policy\Secrets\_SC_RPCSS" "Policy\Secrets\_SC_SSDPSRV" "Policy\Secrets\_SC_upnphost" "Policy\Secrets\_SC_WebClient" * the REG_QWORD entries in the "ExecTime" values of the following keys of the SOFTWARE hive have a length of 16 bytes: "Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown\0\0" "Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup\0\0" "Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-1275210071-630328440-1644491937-1003\Scripts\Logoff\0\0" "Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-1275210071-630328440-1644491937-1003\Scripts\Logon\0\0" "Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-1275210071-630328440-1644491937-500\Scripts\Logoff\0\0" "Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-1275210071-630328440-1644491937-500\Scripts\Logon\0\0" "Policies\Microsoft\Windows\System\Scripts\Shutdown\0\0" "Policies\Microsoft\Windows\System\Scripts\Startup\0\0" * (some more...) The erroneous, not NUL-terminated REG_[*_]SZ values can lead to buffer overflows. The zero sized REG-DWORD values can lead to use of random data. The erroneous, 16 byte long REG_QWORD values can lead to buffer overflows. JFTR: why does Microsofts SDL and their QA miss such silly, automatically detectable errors? ISSUES: * the REG_SZ entries in the subkeys of the key "Software\Classes\Local Settings\MuiCache" in the DEFAULT and every users NTUSER.DAT hive have a size which is 1 character (2 bytes) greater than the actual string length. * the REG_SZ entries in the unnamed default values of the following keys of the SOFTWARE hive have a size twice their actual string length: "Classes\SystemFileAssociations\.doc\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}" "Classes\SystemFileAssociations\.dot\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}" "Classes\SystemFileAssociations\.fpx\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}" "Classes\SystemFileAssociations\.mic\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}" "Classes\SystemFileAssociations\.mix\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}" "Classes\SystemFileAssociations\.mpp\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}" "Classes\SystemFileAssociations\.obd\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}" "Classes\SystemFileAssociations\.obt\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}" "Classes\SystemFileAssociations\.pot\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}" "Classes\SystemFileAssociations\.ppt\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}" "Classes\SystemFileAssociations\.xls\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}" "Classes\SystemFileAssociations\.xlt\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}" * the REG_SZ entries with value names "SetId", "Recent" and "Internal" in the subkeys of the key "ControlSet001\Control\GraphicsDrivers" of the SYSTEM hive have a size which is 1 character (2 bytes) greater than the actual string length. * the REG_SZ entries with value names "Previous Names", "ColorProfiles" and "App Registration" in the subkeys of the key "ControlSet001\Control\Print\Environments\Windows NT x86\Drivers" of the SYSTEM hive have a size which is 1 character (2 bytes) greater than the actual string length. * the REG_SZ entry "SpecialPollTimeRemaining" in key "ControlSet001\Services\W32Time\TimeProviders\NtpClient" of the SYSTEM hive has a size which is larger than the actual string length. * (many more...) A complete log of errors and inconsistencies found in the registry hives (of the evaluation version) of Windows 8.1 (codename "BLUE", hence the filename) is available from <http://home.arcor.de/skanthak/download/BLUE.LOG> This log was generated by a Win32 program that uses OFFREG.DLL (cf. <https://msdn.microsoft.com/en-us/library/ee210757.aspx>, included in Windows 8.1) to dump offline registry hives and to detect errors and inconsistencies in key names, value names and value data. regards Stefan Kanthak _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists