possible regedit bulk key deletion vulnerability (Revised)

Date: 11/16/04

  • Next message: Russ Cooper: "MajorRev: v3.0 Microsoft Security Bulletin MS04-039 - Vulnerability in ISA Server 2000 and Proxy Server 2.0 Could Allow Internet Content Spoofing (888258)"
    Date:         Mon, 15 Nov 2004 23:08:12 -0500

    Please not this occured on a network where all machines are maintained with
    current patches and updates on a nightly basis using MS SUS. The machine
    this occured on was a WinXP Pro SP2 machine.

    We found this by accident, even though the operation performed is so
    obviously caused by a typo that anyone can make, and it the deletes entire
    registry, and should not be permitted because if it can occur the way it did
    for us it can be misused to kill a system.

    We were using silent mode with .reg files in a logon script (regedit /s

    In the .reg file we were automating the deleting of a key, for some software
    that requires us to do so. We made the big typo of all time and so that the
    regedit command looked like this. (we forgot to paste the remaining key


    When the script ran it deleted all registry keys or so it appears because
    the machine hung, and when rebooted the machine would not load windows due
    to missing registry file. And when we looked for these files under dos
    prompt (recovery being attempted at this point), the normal files containing
    the registry could not be found.

    Our issue with this is this.

    It would not take someone with a lot of smarts to misuse this simple
    incomplete key (which regedit appearently interprets as a global delete of
    all the keys). Malware or a virus could simply dynamically build a .reg file
    or copy one (say malware.reg for example) with the above delete key
    specification, and place an item under the
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key with the value of
    "regedit malware.reg /s". Using this example the machine can be rendered
    useless when it was restarted.

    Microsoft simple sould not permit an global deletion of keys at certain
    levels. For Instance the global deletion of




    and other sensitive keys should not be permitted period.

    Regedit should not permit the global delete of the lowest levels at all such


    its only a matter a time before some actually figures this out and abuses
    it, if Microsoft does not plug this really big hole.

    consider the implications, if someone got a hold of this during the code red
    days, accessing an infected web server could have someone to download a
    malware active-x object rendering the computer useless. Imagine how many
    computer that would involve.

    the only gaurd against this until its fixed is to lock away regedit.

    begging the point that maybe regedit should also only allowed to run by

    Editor's Note: The 43rd Most Powerful Person in Networking says...
    Register today to take the TruSecure ICSA exam by 12/31/04  at
    <http://www.2test.com> ,  use promo code "CT1204" and you will pay just
    $221.25 US Dollars for domestic exam delivery and  $296.25 US Dollars
    for international delivery.
    Visit <https://ticsa.trusecure.com>  for complete details regarding the
    TICSA credential and to take the free sample exam.

  • Next message: Russ Cooper: "MajorRev: v3.0 Microsoft Security Bulletin MS04-039 - Vulnerability in ISA Server 2000 and Proxy Server 2.0 Could Allow Internet Content Spoofing (888258)"