New regedit.exe exploit

Printable View

April 22nd, 2003, 11:22 AM
powertoad5000

New regedit.exe exploit

There is a bug in regedit.exe which allows an attacker to execute an arbitrary command with the victim's privileges when the victim opens a specified key in the registry. Workaround for now is to simply use regedt32.exe instead of regedit.exe.

Quote:

This is a NEW exploit for a NEW vulnerability
in REGEDIT.EXE !

This one trap a KEY in the registery, that
when a non informed user just try to BROWSE IT
with REGEDIT.EXE (localy or REMOTELY !) execute
an arbitrary command defined by attacker
without its knowledge !

The vulnerabitily appear to be in a RegEnumValueW
function misused in regedit.exe

By precaution, I council to use regedt32.exe
for your future registery manipulation.

This exploit as been tested on Win2K (fr) SP0,2,3,
and work with a local and remote browse of a
trapped registery.

Exploit code can be found here.
April 22nd, 2003, 03:36 PM
bballad

Some one explain how this one is even thinking about being an issue. First off users should not have the privs to run regedit. Secondly if the attacker has already written keys to the registry then its too late your system is already exploited : D . If I can write keys to the registry I can do whatever I want to the system anyway why would I need someone to run regedit to exploit it?
April 22nd, 2003, 03:48 PM
Jonesy69

Quote:

Some one explain how this one is even thinking about being an issue. First off users should not have the privs to run regedit.

What about home users? What about the guy at the office who doesnt know any better? Those would be prime examples of people who would have the privelages to run regedit.exe or any variation (regedit32).

Quote:

Secondly if the attacker has already written keys to the registry then its too late your system is already exploited : D . If I can write keys to the registry I can do whatever I want to the system anyway why would I need someone to run regedit to exploit it?

This is just another means of entry by an attacker. Your're right when you say its to late if you've written to my registry. However, this is just another thing that could go unchecked and be the next big thing for script kiddies to use to be a pain in the ass. :)
April 22nd, 2003, 04:02 PM
bballad

With home users and standalone. if the attacker can write to the registry then its too late. The only vector I can see that wouldn’t involve some major pervious security breach is on a network where a user did this and it affected the admin system over a remote view. IMHO letting users write to the registry is a major security breach...and allowing remote changes to the registry is a major security breach. I can see the malicious code entering on a Trojan...but if the Trojan could get in with a malicious registry packet it could get in with anything, why breach security to set up an exploit...when you are in set up a backdoor that you know will work.
April 22nd, 2003, 05:28 PM
TSeNg

But isnt the point of this being that you inhearit admin priv's? maybe i read it wrong but thats the idea that i got. some key ran some command, and pop, your now added to alist of power users...
April 23rd, 2003, 12:48 AM
powertoad5000

bballad: This isn't exactly a critical vulnerability :) but just as an example of how it would work: At my uni every windows box is ghosted each time it's rebooted. Which means they typically don't have to worry about people editing the registry, which is something that you're by default allowed to do. So I trap whatever key in the registry, and if I can then convince an administrator to open that key with regedit.exe remotely from his box with his privileges, I'm a new network administrator :). As you can see its not the most important bug, but it should still be patched.