possible regedit bulk key deletion vulnerability (Revised)

support_at_maedata.net
Date: 11/16/04

  • Next message: Russ Cooper: "MajorRev: v3.0 Microsoft Security Bulletin MS04-039 - Vulnerability in ISA Server 2000 and Proxy Server 2.0 Could Allow Internet Content Spoofing (888258)"
    Date:         Mon, 15 Nov 2004 23:08:12 -0500
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Please not this occured on a network where all machines are maintained with
    current patches and updates on a nightly basis using MS SUS. The machine
    this occured on was a WinXP Pro SP2 machine.

    We found this by accident, even though the operation performed is so
    obviously caused by a typo that anyone can make, and it the deletes entire
    registry, and should not be permitted because if it can occur the way it did
    for us it can be misused to kill a system.

    We were using silent mode with .reg files in a logon script (regedit /s
    parameter).

    In the .reg file we were automating the deleting of a key, for some software
    that requires us to do so. We made the big typo of all time and so that the
    regedit command looked like this. (we forgot to paste the remaining key
    info).

    [-HKEY_LOCAL_MACHINE\]

    When the script ran it deleted all registry keys or so it appears because
    the machine hung, and when rebooted the machine would not load windows due
    to missing registry file. And when we looked for these files under dos
    prompt (recovery being attempted at this point), the normal files containing
    the registry could not be found.

    Our issue with this is this.

    It would not take someone with a lot of smarts to misuse this simple
    incomplete key (which regedit appearently interprets as a global delete of
    all the keys). Malware or a virus could simply dynamically build a .reg file
    or copy one (say malware.reg for example) with the above delete key
    specification, and place an item under the
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key with the value of
    "regedit malware.reg /s". Using this example the machine can be rendered
    useless when it was restarted.

    Microsoft simple sould not permit an global deletion of keys at certain
    levels. For Instance the global deletion of

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\

    or

    HKLM\SOFTWARE\Microsoft\Windows

    and other sensitive keys should not be permitted period.

    Regedit should not permit the global delete of the lowest levels at all such

    HKLM\
    HKCU\
    HKLM\SOFTWARE\
    HKCU\SOFTWARE\

    its only a matter a time before some actually figures this out and abuses
    it, if Microsoft does not plug this really big hole.

    consider the implications, if someone got a hold of this during the code red
    days, accessing an infected web server could have someone to download a
    malware active-x object rendering the computer useless. Imagine how many
    computer that would involve.

    the only gaurd against this until its fixed is to lock away regedit.

    begging the point that maybe regedit should also only allowed to run by
    administrators.

    --
    Editor's Note: The 43rd Most Powerful Person in Networking says...
    Register today to take the TruSecure ICSA exam by 12/31/04  at
    <http://www.2test.com> ,  use promo code "CT1204" and you will pay just
    $221.25 US Dollars for domestic exam delivery and  $296.25 US Dollars
    for international delivery.
    Visit <https://ticsa.trusecure.com>  for complete details regarding the
    TICSA credential and to take the free sample exam.
    --
    

  • Next message: Russ Cooper: "MajorRev: v3.0 Microsoft Security Bulletin MS04-039 - Vulnerability in ISA Server 2000 and Proxy Server 2.0 Could Allow Internet Content Spoofing (888258)"

    Relevant Pages

    • Re: Run, cmd not working
      ... what other trojans may be affecting my regedit / cmd prompts? ... the removal by editing the registry using ERD5.0 ... I get a command prompt window if I run "command"  (that is something new to ... What do you see when you run CMD? ...
      (microsoft.public.windowsxp.help_and_support)
    • Re: Run, cmd not working
      ... what other trojans may be affecting my regedit / cmd prompts? ... the removal by editing the registry using ERD5.0 ... I get a command prompt window if I run "command"  (that is something new to ... What do you see when you run CMD? ...
      (microsoft.public.windowsxp.help_and_support)
    • Re: Run, cmd not working
      ... what other trojans may be affecting my regedit / cmd prompts? ... the removal by editing the registry using ERD5.0 ... I get a command prompt window if I run "command"  (that is something new to ... What do you see when you run CMD? ...
      (microsoft.public.windowsxp.help_and_support)
    • Re: Run, cmd not working
      ... what other trojans may be affecting my regedit / cmd prompts? ... the removal by editing the registry using ERD5.0 ... I get a command prompt window if I run "command"  (that is something new to ... What do you see when you run CMD? ...
      (microsoft.public.windowsxp.help_and_support)
    • Re: update: cant open regedit.exe
      ... regedit still would not run. ... the registry editor opened. ... in this folder, i do not have a drivers32 subkey, or do you mean the folder ... in what i call the drivers32 folder, i see the following entry ...
      (microsoft.public.windowsxp.general)