[German]Windows users can be spoofed into importing .reg files, as I just verified. You can send manipulated messages to the user via the dialog box shown before a .reg file is imported.
Advertising
What is it about?
.reg files are small text files, that can be created and saved with an editor. The files may contain commands to set or delete entries in the registry. In Windows such .reg files may be imported using the Windows registry editor regedit.exe. This allows you to import the contents of a .reg file by double-clicking on it.
Then the dialog box shown above will be displayed to warn the user about the import of the .reg file. And the user have to agree to the import via the Yes button. For certain keys, also administrative rights are necessary for the import. So the Registry Editor must request increased rights via the User Account Control.
Spoofing the import dialog box
Spoofing is a situation in which a person or program successfully masquerades as another by falsifying data, to gain an illegitimate advantage. Security researcher John Page (aka hyp3rlinx) has now discovered that the registry editor regedit.exe can be used to create a .reg file with a specially designed filename. This file name can be used to manipulate the text shown within the displayed dialog box.
Advertising
The above dialog shows a manipulated text message when importing a .reg file. Text parts of the original message were simply suppressed. Using such a manipulated message, attackers could trick inexperienced users to click the Yes button to import a .reg file containing dangerous content. In addition, Windows 10 seems to offer the ability to suppress the display of the second status dialog box, which indicates that an import was successful.
Spoofing attacks
To delete the default text displayed and display your own text in the dialog box, you can use %-encoded characters such as %n or %r and %0 in the .reg file name. For example, the text passages "Do not trust …" and "Do you want to continue?" shown within the default warning messages can be removed by using %0 characters.
Normally, after a successful import, the Registry Editor opens another window with a corresponding status message. This can be suppressed by inserting a (zero) value directly before the dot at the end of the file name. This can be achieved with %1 or %25. The file name:
"Microsoft-Security-Update v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%b%1%0.reg"
not only suppresses the second status window that displays the successful import. It also creates a dialog box with the manipulated test shown above in the display. Here is a list of characters that can be used for manipulation.
- % – can be used for obfuscation e.g. %h%a%t%e = hate
- %b will create white-space
- %n makes a newline
- %r makes a newline
- %1 creates (null) – important as we prevent the second registry dialog from
appearing after a successful import! - %0 Important terminates string
- %25 (Windows 10) creates (null) – Important as we prevent the second
registry dialog from appearing after a successful import! - %3 – Important as we prevent the second registry dialog from appearing
after a successful import! (but shows asian char) - %5 (Windows 10) duplicates the default registry dialog box message by "n"
amount of times per amount of %5 injected into the filename - %25 (Windows 7) duplicates the default registry dialog box message by "n"
amount of times per amount of %25 injected into the filename - %2525 prevents registry editor from opening
- %169 will show our junky filename in the dialog box (we don't want that)
- %3, %197, %17 and some others change the default language shown in the
registry dialog box to asian characters etc.
The security researcher describes the details and some attacks on Seclists.org, and and has also published there the above list with characters for the manipulating the dialog box message. Below is a video demonstrating such a spoofing attack.
Windows .Reg File Dialog Box Spoofing 0day from hyp3rlinx on Vimeo.
