|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: possible regedit bulk key deletion vulnerability (Revised)
From: Ron Parker (ron
GWMICRO.COM)
Date: Tue Nov 16 2004 - 08:01:35 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
At 11:08 PM 11/15/2004, you wrote:
>It would not take someone with a lot of smarts to misuse this simple
>incomplete key (which regedit appearently interprets as a global delete of
>all the keys). Malware or a virus could simply dynamically build a .reg file
>or copy one (say malware.reg for example) with the above delete key
>specification, and place an item under the
>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key with the value of
>"regedit malware.reg /s". Using this example the machine can be rendered
>useless when it was restarted.
Far easier for the malware to use the API that Microsoft thoughtfully
provided for just that purpose:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/shellcc/platform/shell/reference/shlwapi/registry/shdeletekey.asp
>begging the point that maybe regedit should also only allowed to run by
>administrators.
Of course, only an administrator could have deleted HKLM anyway...
--
Editor's Note: The 43rd Most Powerful Person in Networking says...
Register today to take the TruSecure ICSA exam by 12/31/04 at
<http://www.2test.com> , use promo code "CT1204" and you will pay just
$221.25 US Dollars for domestic exam delivery and $296.25 US Dollars
for international delivery.
Visit <https://ticsa.trusecure.com> for complete details regarding the
TICSA credential and to take the free sample exam.
--
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]