regsvr32.exe commandline overflow

Printable View

Show 40 post(s) from this thread on one page

August 11th, 2004, 06:36 PM
Nokia

I can see what your trying to say Mohaughn and everything youve said would be correct if regsrv32 was not a system process but it is.

http://www.liutilities.com/products/...rary/regsvr32/

I dont really understand what you are saying here:

Quote:

One of the main reasons you need administrative access to install many different types of applications is because a regular user invoking regsvr32 does not have the proper permissions to make changes to all registry keys.. so regsvr32 would fail, which is why the install bombs when it checks permissions.

I may just be miss reading this but the way I understand what you have said is someone invoking regsvr32 would need to have administrator rights?

So there you go, if regsvr32 overflows and executes something you have stored in memory, you will be piggybacking a program with administrator rights. Voilla!

And as it is a system process some security programs will allow it, as you said regsvr32 is invoked when you install something (admin rights there), how many firewalls, AV's etc go off when you install something?
August 11th, 2004, 06:51 PM
jinxy

Quote:

So there you go, if regsvr32 overflows and executes something you have stored in memory, you will be piggybacking a program with administrator rights. Voilla!

No he is saying regsrv32 only runs with the privalages of the user. IE if the user is restricted regsvr will run as restricted. Not as admin.
August 11th, 2004, 07:14 PM
Nokia

O right , i see what he ment now.

However it is a system process so the rights level of the user is irrelevant. The main reason some programs wont install if you dont have rights, has nothing to do with regsvr32, it is to do with creating/reading/writting/modifying files and folders in places you dont have access to.

Hence if you had a restricted/limited account you would'nt be allowed to even start installing something, that is long before regsvr will be invoked.
August 11th, 2004, 07:35 PM
jinxy

Quote:

Hence if you had a restricted/limited account you would'nt be allowed to even start installing something, that is long before regsvr will be invoked.

So SirDice is correct there is no privalige escalation here then??
August 11th, 2004, 08:09 PM
mohaughn

It was always my understanding, correct me if I'm worng.. that a system process is a process that the system needs to run, and it is started at system startup and is not tied to a user login.. meaning it runs as localsystem.. This is not the case for regsvr32.. You can delete regsvr32 from the harddrive and the system will still run.. I'm not sure why that webpage you listed says it is a system process, but I really don't think it is. It is in the system32 directory, but once you have the system installed and running, you can safely remove regsvr32 to prevent additional applications from being installed.

Here is another way to look at it.. If you have the resource kit, and you run tlist -t you will see the process list tree..

The tree is broken down by who the parent process is, this is also the security context under which the process is running..

if you run regsvr32 from a cmd prompt, cmd shows up as the parent.. if you run it from explorer, explorer shows up as the parent.. CMD and Explorer both run under the security context of the user that invokes the process. The regsvr32 process does not get pushed up to the top under system where you find winlogin, services, svchost and lsass...

Here is another thing to keep in mind.. When I was talking about installing software I was talking about installing on a locked down system. In this type of system a regular user does not have access to the registry to make changes. If regsvr32 ran in the localsystem(administrator) context then regsvr32 would still work as it would be using administrative permissions to change the registry and not normal user permissions. Also, one of the most common errors with regsvr32 is that the .dll file doesn't exist, or the user doesn't have access to the file. If you regsvr32 was running with administrator privileges file permissions would not be an issue, unless deny all was the effective permission, which is hardly ever the case.

This article gives the specifics of what regsvr32 is doing. It is just an application. They even give you source code so that you can register dlls without using regsvr32.

http://support.microsoft.com/default...b;en-us;207132

edit- That website also says cmd is a system process. So their definition of a system process does not mean that it runs as the system account. because we all know that cmd runs under the context of the user that initiated the command- http://www.liutilities.com/products/...sslibrary/cmd/
August 11th, 2004, 08:30 PM
Nokia

I thought that aswell at first that it was just an app especially with it being a .exe but then I went to the web page I linked to and it said it was a system process and when I checked, it is in the system32 folder, that convinced me it was a system process

Which is what makes me think it is exploitable to escelate privilages.

I dont have the resource kit at home but could you tell me if it shows up as parent if you just run it from the run prompt, if not what is? Thanks.

My way of thinking is that if regsvr is invoked it will have to either temporarily run with admin rights or be invoked by someone with admin rights, either way it can be exploited (providing that it is indeed a system process) to elevate any account that is made by the BO.

But then I suppose the argument is, if someone already has admin rights and you have remotely logged in then you have all the privilages you need.

However if a normal user can invoke it and the process (not the user) does temporarily gain admin rights (or the system process quivalent) then thats the security risk.

Im going to have a scour around and see if I can get a definate answer somewhere about if its a system process or not as you are starting to make me think its not!

Thanks
August 11th, 2004, 09:02 PM
Nokia

Well I couldnt find anyhting about if it was a system proccess or not but I did find this:

http://www.securityfocus.com/archive/82/316073

Notice the date - thanks for this hot of the press peice of news warl0ck7!

So anyway, i'll shut up, dish out your AP's and go and finish my bottle of morgan spiced now!

I enjoyed discussing it with you though mohaughn, makes a nice change not seeing a thread like this ending up in a flame war of some kind!

**Nokia bows and retreats very humbily**
August 11th, 2004, 09:04 PM
Maestr0

regsvr32.exe does not run as system and I would conssider very low risk unless it can be invoked remotely or is called by something like IE, however it may be possible to escalate privileges if one were to abuse the SeLoadDriver privilege (rootkit?). You coud least shut down services and annoy someone.

-Maestr0
August 11th, 2004, 09:44 PM
ikalo

Nokia,
This is from my personal experience. Once I have run install of some shareware with user priviledges. It was runing fine untill it was time to register ActiveX controls. Tham msg window poped up saying that I don't have rights to change registry. I beleive that it was when regsrv32 was called to do its job.

Also, following your logic are the following system proceses:
net, ping, tracert, cmd, explorer, route print, arp, netstat, nbtstat, ipconfig, start, any win screensaver etc?
They are all in system32 folder. Got my point.
On the other hand any overflaw is security risk because at least it can be used to anoy user.
Attacker will pick overflaw that he/she knows best, and that is not patched on target system.
August 11th, 2004, 11:22 PM
Nokia

Quote:

Also, following your logic are the following system proceses:
net, ping, tracert, cmd, explorer, route print, arp, netstat, nbtstat, ipconfig, start, any win screensaver etc?
They are all in system32 folder. Got my point.

Ermmm, no they are not sytem processes but lsass and svchost are and they are stored in the system32 directory also, get my point?

Show 40 post(s) from this thread on one page