{"id":9201,"date":"2019-04-02T02:02:40","date_gmt":"2019-04-02T00:02:40","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=9201"},"modified":"2024-07-26T17:33:07","modified_gmt":"2024-07-26T15:33:07","slug":"security-windows-spoofing-via-reg-files","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2019\/04\/02\/security-windows-spoofing-via-reg-files\/","title":{"rendered":"Security: Windows-Spoofing via .reg files"},"content":{"rendered":"

[German<\/a>]Windows users can be spoofed into importing .reg<\/em> files, as I just verified. You can send manipulated messages to the user via the dialog box shown before a .reg<\/em> file is imported.<\/p>\n

<\/p>\n

What is it about?<\/h2>\n

.reg files are small text files, that can be created and saved with an editor. The files may contain commands to set or delete entries in the registry. In Windows such .reg <\/em>files may be imported using the Windows registry editor regedit.exe. <\/em>This allows you to import the contents of a .reg<\/em> file by double-clicking on it.<\/p>\n

\".reg<\/p>\n

Then the dialog box shown above will be displayed to warn the user about the import of the .reg<\/em> file. And the user have to agree to the import via the Yes<\/em> button. For certain keys,\u00a0 also administrative rights are necessary for the import. So the Registry Editor must request increased rights via the User Account Control.<\/p>\n

Spoofing the import dialog box<\/h2>\n

Spoofing<\/a>\u00a0 is a situation in which a person or program successfully masquerades as another by falsifying data, to gain an illegitimate advantage. Security researcher John Page (aka hyp3rlinx) has now discovered<\/a> that the registry editor regedit.exe<\/em> can be used to create a .reg<\/em> file with a specially designed filename. This file name can be used to manipulate the text shown within the displayed dialog box.<\/p>\n

\"manipulierted<\/p>\n

The above dialog shows a manipulated text message when importing a .reg<\/em> file. Text parts of the original message were simply suppressed.\u00a0 Using such a manipulated message, attackers could trick inexperienced users to click the Yes <\/em>button to import a .reg<\/em> file containing dangerous content. In addition, Windows 10 seems to offer the ability to suppress the display of the second status dialog box, which indicates that an import was successful.<\/p>\n

Spoofing attacks<\/h2>\n

To delete the default text displayed and display your own text in the dialog box, you can use %-encoded characters such as %n or %r and %0 in the .reg<\/em> file name. For example, the text passages \"Do not trust …\" and \"Do you want to continue?\" shown within the default warning messages can be removed by using %0 characters.<\/p>\n

Normally, after a successful import, the Registry Editor opens another window with a corresponding status message. This can be suppressed by inserting a (zero) value directly before the dot at the end of the file name. This can be achieved with %1 or %25. The file name:<\/p>\n

\"Microsoft-Security-Update v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%b%1%0.reg\"<\/p>\n

not only suppresses the second status window that displays the successful import. It also creates a dialog box with the manipulated test shown above in the display. Here is a list of characters that can be used for manipulation.<\/p>\n