OT - Another Windows Vulnerability
- From: "Kevin W. Miller" <i09172@xxxxxxxxxxxxxxxx>
- Date: Tue, 30 Aug 2005 11:46:43 -0700
Probably doesn't effect any of you but there's a free tool online that you
can download from the SunBelt link and run to be certain.
From:
http://sunbeltblog.blogspot.com/
"Monday, August 29, 2005
The now infamous Regedit vulnerability
Last week, Secunia published an advisory on a new vulnerabilities found in
Windows. An exploit can take advantage of a weakness in Regedit, allowing a
hacker to put a long string in the registry to hide a command. News.com
advisory picked it up on Friday.
>From Secunia: "The weakness is caused due to an error in the Registry Editor
Utility (regedt32.exe) when handling long string names. This can be
exploited to hide strings in a registry key by creating a string with a long
name, which causes this string and any subsequently created strings in the
key to be hidden. Successful exploitation e.g. makes it possible for malware
to hide strings in the "Run" registry key. However, these hidden strings
created after the string with the overly long name will still be executed
when the user logs in."
However, someone actually has to get in to your system to implant this
registry key. So it's not a "run for the hills" type scenario, despite
breathless reports to the contrary. But it is something to take note of.
Two SANs bulletins, here and here. "An overly long registry entry can be
added, but won't be shown by regedit and regedt32. Even better, all registry
entries that get added afterward under the same key, even if not overly
long, will be hidden as well...This allows to add hidden entries under the
famous HKLM\Software\MS\Windows\CV\Run. Entries that you can't see with
regedit, but that will just as faithfully get run at startup. " This can
happen right now on fully patched systems.
In other words, a hacker can implant a long string into the Run section of
the Registry. Regedit can't actually "see" it. When you re-start your
computer, it will happily run.
This vulnerability has been confirmed on fully patched Windows 2000 and XP
systems. Other systems may be at risk.
Here is what you can do right now. Run this tool from SANS which will tell
you what extra long entries you have in the registry. It looks for values in
excess of 254 characters. (Another option is to open up a command prompt
(Start/Run/Cmd) and type "reg query
HKLM\Software\Microsoft\Windows\CurrentVersion\Run", but I wouldn't bother
with that).
And wait for the patches to come forth from various vendors.
Alex Eckelberry
(Tip o' the hat to Eric Howes)"
Kevin W. Miller
.
- Follow-Ups:
- Re: OT - Another Windows Vulnerability
- From: bill horne
- Re: OT - Another Windows Vulnerability
- From: Alan Balmer
- Re: OT - Another Windows Vulnerability
- Prev by Date: Re: OT-From today's Opinion Journal!
- Next by Date: Re: OT Cheap shots - was Security
- Previous by thread: A note on RV toter parking
- Next by thread: Re: OT - Another Windows Vulnerability
- Index(es):
Relevant Pages
|
