Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Full Disclosure: Re: Miscrosoft Registry Editor 5.1/XP/2K long string key vulnerability

Re: Miscrosoft Registry Editor 5.1/XP/2K long string key vulnerability

From: Jérôme ATHIAS <jerome.athias_at_free.fr>
Date: Wed, 24 Aug 2005 15:32:26 +0200

Hi,

it works on Windows 2000 SP4 FR and XP SP2 FR

when exporting the key, the resulting .reg file is "empty"

Regards

/JA

***************************************
http://www.athias.fr - Alertes de sécurité en français

Igor Franchuk a écrit :

> Hello All,
>
>
> PRELUDE
>
> /* Registry Element Size Limits The following are the size limits
> for the various registry elements. The maximum size of a key name
> is 255 characters. The maximum size of a value name is as follows:
> Windows Server 2003 and Windows XP: 16,383 characters Windows
> 2000: 260 ANSI characters or 16,383 Unicode characters. Windows
> Me/98/95: 255 characters Long values (more than 2,048 bytes) should
> be stored as files with the file names stored in the registry. This
> helps the registry perform efficiently. The maximum size of a value
> is as follows: Available memory. Windows Me/98/95: 16,300 bytes.
> There is a 64K limit for the total size of all values of a key. */
>
>
> DESCRIPTION
>
> Microsoft Registry Editor for 2K and XP (Regedt32.exe) has a nice
> design flow that is naturally allows to hide registry information
> from viewing and editing even from users with administrative
> access. (really handful, thanks guys)
>
>
> POC
>
> To reproduce the desired behavior:
>
> - run Regedt32.exe - create a key, let it just be
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
> Settings\Empty - in this key create any string value with the name
> exceeding 256 symbols (260 is the max) or just copy-paste:
>
> helloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworldhelloworl
>
>
> Press F5 (refresh) and you will see how the key magically
> disappears.
>
> Now create ANY key within
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
> Settings\Empty and press refresh again - it will NOT BE SEEN by
> regedt32.
>
>
>
> PRACTICE There is a tremendous implementation field for this
> behavior.
>
>
> TESTED On XP SP2 Eng, SP1 and 2K RUS. The testing is by no means
> complete but I hope it is working on all 2K and XP systems. Sorry
> if it is not.
>
> SUGGESTED FIX Make it possible to mange visibility by specifying
> (_?_) (_$_) and (_._) in the key names.
>
>
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Received on Aug 24 2005
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]