Full Disclosure mailing list archives
Re: Miscrosoft Registry Editor 5.1/XP/2K long string key vulnerability
From: Jérôme ATHIAS <jerome.athias () free fr>
Date: Wed, 24 Aug 2005 15:32:26 +0200
Hi, it works on Windows 2000 SP4 FR and XP SP2 FR when exporting the key, the resulting .reg file is "empty" Regards /JA *************************************** http://www.athias.fr - Alertes de sécurité en français Igor Franchuk a écrit :
Hello All, PRELUDE /* Registry Element Size Limits The following are the size limits for the various registry elements. The maximum size of a key name is 255 characters. The maximum size of a value name is as follows: Windows Server 2003 and Windows XP: 16,383 characters Windows 2000: 260 ANSI characters or 16,383 Unicode characters. Windows Me/98/95: 255 characters Long values (more than 2,048 bytes) should be stored as files with the file names stored in the registry. This helps the registry perform efficiently. The maximum size of a value is as follows: Available memory. Windows Me/98/95: 16,300 bytes. There is a 64K limit for the total size of all values of a key. */ DESCRIPTION Microsoft Registry Editor for 2K and XP (Regedt32.exe) has a nice design flow that is naturally allows to hide registry information from viewing and editing even from users with administrative access. (really handful, thanks guys) POC To reproduce the desired behavior: - run Regedt32.exe - create a key, let it just be HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Empty - in this key create any string value with the name exceeding 256 symbols (260 is the max) or just copy-paste: helloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworl Press F5 (refresh) and you will see how the key magically disappears. Now create ANY key within HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Empty and press refresh again - it will NOT BE SEEN by regedt32. PRACTICE There is a tremendous implementation field for this behavior. TESTED On XP SP2 Eng, SP1 and 2K RUS. The testing is by no means complete but I hope it is working on all 2K and XP systems. Sorry if it is not. SUGGESTED FIX Make it possible to mange visibility by specifying (_?_) (_$_) and (_._) in the key names.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Miscrosoft Registry Editor 5.1/XP/2K long string key vulnerability Igor Franchuk (Aug 24)
- Re: Miscrosoft Registry Editor 5.1/XP/2K long string key vulnerability Jérôme ATHIAS (Aug 24)
- Re: Miscrosoft Registry Editor 5.1/XP/2K long string key vulnerability Gilles DEMARTY (Aug 24)
- Re: Miscrosoft Registry Editor 5.1/XP/2K long string key vulnerability James Tucker (Aug 24)
- Re: Miscrosoft Registry Editor 5.1/XP/2K long string key vulnerability Gilles DEMARTY (Aug 24)
- Re: Miscrosoft Registry Editor 5.1/XP/2K long string key vulnerability Spiro Trikaliotis (Aug 24)
- Re: Miscrosoft Registry Editor 5.1/XP/2K long string key vulnerability Jérôme ATHIAS (Aug 24)