possible regedit bulk key deletion vulnerability (Revised)
Date: Mon, 15 Nov 2004 23:08:12 -0500 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Please not this occured on a network where all machines are maintained with
current patches and updates on a nightly basis using MS SUS. The machine
this occured on was a WinXP Pro SP2 machine.
We found this by accident, even though the operation performed is so
obviously caused by a typo that anyone can make, and it the deletes entire
registry, and should not be permitted because if it can occur the way it did
for us it can be misused to kill a system.
We were using silent mode with .reg files in a logon script (regedit /s
In the .reg file we were automating the deleting of a key, for some software
that requires us to do so. We made the big typo of all time and so that the
regedit command looked like this. (we forgot to paste the remaining key
When the script ran it deleted all registry keys or so it appears because
the machine hung, and when rebooted the machine would not load windows due
to missing registry file. And when we looked for these files under dos
prompt (recovery being attempted at this point), the normal files containing
the registry could not be found.
Our issue with this is this.
It would not take someone with a lot of smarts to misuse this simple
incomplete key (which regedit appearently interprets as a global delete of
all the keys). Malware or a virus could simply dynamically build a .reg file
or copy one (say malware.reg for example) with the above delete key
specification, and place an item under the
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key with the value of
"regedit malware.reg /s". Using this example the machine can be rendered
useless when it was restarted.
Microsoft simple sould not permit an global deletion of keys at certain
levels. For Instance the global deletion of
and other sensitive keys should not be permitted period.
Regedit should not permit the global delete of the lowest levels at all such
its only a matter a time before some actually figures this out and abuses
it, if Microsoft does not plug this really big hole.
consider the implications, if someone got a hold of this during the code red
days, accessing an infected web server could have someone to download a
malware active-x object rendering the computer useless. Imagine how many
computer that would involve.
the only gaurd against this until its fixed is to lock away regedit.
begging the point that maybe regedit should also only allowed to run by
-- Editor's Note: The 43rd Most Powerful Person in Networking says... Register today to take the TruSecure ICSA exam by 12/31/04 at <http://www.2test.com> , use promo code "CT1204" and you will pay just $221.25 US Dollars for domestic exam delivery and $296.25 US Dollars for international delivery. Visit <https://ticsa.trusecure.com> for complete details regarding the TICSA credential and to take the free sample exam. --