Results 1 to 6 of 6

Thread: New regedit.exe exploit

  1. #1
    Senior Member
    Join Date
    Jun 2002
    Posts
    405

    New regedit.exe exploit

    There is a bug in regedit.exe which allows an attacker to execute an arbitrary command with the victim's privileges when the victim opens a specified key in the registry. Workaround for now is to simply use regedt32.exe instead of regedit.exe.

    This is a NEW exploit for a NEW vulnerability
    in REGEDIT.EXE !

    This one trap a KEY in the registery, that
    when a non informed user just try to BROWSE IT
    with REGEDIT.EXE (localy or REMOTELY !) execute
    an arbitrary command defined by attacker
    without its knowledge !

    The vulnerabitily appear to be in a RegEnumValueW
    function misused in regedit.exe

    By precaution, I council to use regedt32.exe
    for your future registery manipulation.

    This exploit as been tested on Win2K (fr) SP0,2,3,
    and work with a local and remote browse of a
    trapped registery.
    Exploit code can be found here.

  2. #2
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    Some one explain how this one is even thinking about being an issue. First off users should not have the privs to run regedit. Secondly if the attacker has already written keys to the registry then its too late your system is already exploited : D . If I can write keys to the registry I can do whatever I want to the system anyway why would I need someone to run regedit to exploit it?

  3. #3
    Some one explain how this one is even thinking about being an issue. First off users should not have the privs to run regedit.
    What about home users? What about the guy at the office who doesnt know any better? Those would be prime examples of people who would have the privelages to run regedit.exe or any variation (regedit32).

    Secondly if the attacker has already written keys to the registry then its too late your system is already exploited : D . If I can write keys to the registry I can do whatever I want to the system anyway why would I need someone to run regedit to exploit it?
    This is just another means of entry by an attacker. Your're right when you say its to late if you've written to my registry. However, this is just another thing that could go unchecked and be the next big thing for script kiddies to use to be a pain in the ass.

  4. #4
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    With home users and standalone. if the attacker can write to the registry then its too late. The only vector I can see that wouldn’t involve some major pervious security breach is on a network where a user did this and it affected the admin system over a remote view. IMHO letting users write to the registry is a major security breach...and allowing remote changes to the registry is a major security breach. I can see the malicious code entering on a Trojan...but if the Trojan could get in with a malicious registry packet it could get in with anything, why breach security to set up an exploit...when you are in set up a backdoor that you know will work.

  5. #5
    But isnt the point of this being that you inhearit admin priv's? maybe i read it wrong but thats the idea that i got. some key ran some command, and pop, your now added to alist of power users...
    Im Chris Bartholomew - 18 Years old

    TSeNg
    questions? Cxbartholomew@yahoo.com

  6. #6
    Senior Member
    Join Date
    Jun 2002
    Posts
    405
    bballad: This isn't exactly a critical vulnerability but just as an example of how it would work: At my uni every windows box is ghosted each time it's rebooted. Which means they typically don't have to worry about people editing the registry, which is something that you're by default allowed to do. So I trap whatever key in the registry, and if I can then convince an administrator to open that key with regedit.exe remotely from his box with his privileges, I'm a new network administrator . As you can see its not the most important bug, but it should still be patched.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •