[Dshield] Windows Registry Editor Utility String ConcealmentWeakness

David Taylor ltr at isc.upenn.edu
Wed Aug 24 18:15:25 GMT 2005

We were playing around with this earlier today and found it may end up being
a pain to deal with. I'm sure the spyware folks are going to want to start
running their wares using this vulnerability.

I created a large key name in my HKCU RUN and when I hit okay it
disappeared.  It showed up if you used the command line REG.EXE command but
wouldn't let you delete it.  The only way I found to delete the key was by
using msconfig.  The key showed up there but was blank.  Unchecking the key
from startup seems to delete the key from the registry.

David Taylor //Sr. Information Security Specialist
University of Pennsylvania Information Security 
Philadelphia PA USA
LTR at ISC.UPENN.EDU               (215) 898-1236

SANS - The Twenty Most Critical Internet Security Vulnerabilities 

SANS - Internet Storm Center

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Fergie (Paul Ferguson)
Sent: Wednesday, August 24, 2005 11:17 AM
To: list at lists.dshield.org
Subject: [Dshield] Windows Registry Editor Utility String

>From the "For What it's Worth" Dept. --

Via Secunia:


Windows Registry Editor Utility String Concealment Weakness

Secunia Advisory:	SA16560	Print Advisory  
Release Date:	2005-08-24

Not critical
Impact:	Spoofing
Where:	Local system
Solution Status:	Unpatched

Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

Select a product and view a complete list of all Patched/Unpatched
Secunia advisories affecting it.

Igor Franchuk has discovered a weakness in Microsoft Windows, which can be
exploited to hide certain information.

The weakness is caused due to an error in the Registry Editor Utility
(regedt32.exe) when handling long string names. This can be exploited to
hide strings in a registry key by creating a string with a long name, which
causes this string and any subsequently created strings in the key to be

Successful exploitation e.g. makes it possible for malware to hide strings
in the "Run" registry key. However, these hidden strings created after the
string with the overly long name will still be executed when the user logs

The weakness has been confirmed in a fully updated Windows XP SP2 system,
and has also been reported in Windows 2000. Other versions may also be

Ensure that systems have up-to-date anti-virus and spyware detection
software installed.



- ferg

send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list