Next Page >>
registry key
---------------
The icabar.exe file does launch during an administrator logon to the
desktop via RUN registry key. Unfortunately the IcaBar key value
doesn't have a full binary path, which allows an attacker to escalate
privilege in Windows NT, 2000 in the default configuration and in
Windows 2003 in some circumstances.
This causes several instances of Windows PATH trolling, where Windows
------------------------------------------------------------------------
Exploiting this issue on Windows XP using the above described attack
vectors will fail. This is caused by the fact that on Windows XP OLE
Packages are handled by the packager.exe application (Windows Object
Packager) while on Windows Vista and later OLE Packages are handled by
the DLL packager.dll. This is defined in the Registry key
HKEY_CLASSES_ROOT\Package\protocol\StdFileEditing\server. Big difference
between these two is that on Windows XP the temporary file is removed
if packager.exe is closed, while on Windows Vista the file is removed
when the Office document is closed (and the DLL is unloaded). Also the
exe saves its files in the Temporary Internet Files folder while the DLL
1. If HP Software Update is reinstalled using the recovery solution, the procedure above must be repeated.
2. On a PC where HP Software Update is present, the procedure above must be followed even if HP Software Update is never used.
3. This resolution applies the Windows Registry kill bit to the following CLSIDs:
{60178279-6D62-43af-A336-77925651A4C6}
{DC4F9DA0-DB05-4BB0-8FB2-03A80FE98772}
{0C378864-D5C4-4D9C-854C-432E3BEC9CCB}
{93441C07-E57E-4086-B912-F323D741A9D8}
KB article 240797 prior updating the registry.
PSFormX ActiveX control
Create a DWORD with the name of "Compatibility Flags" containing the
value 0x00000400 in the following registry key. If the key does not
exist, create it under the following location:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\
ActiveX Compatibility\{56393399-041A-4650-94C7-13DFCB1F4665}]
Class of IPM.Document.txtfile indicates that the attachment is a plain
text file, while IPM.Document.Excel.Sheet.12 indicates a Microsoft Excel
document created with Excel 2007.
If Outlook receives a message with its Message Class set to
IPM.Document.<type>, Outlook will search the Windows Registry
using the last part (<type>) of the Message Class to see if such a
file type is registered in Windows. If so, it will look in the Registry
to see if this file type has an icon associated (i.e.
HKEY_CLASSES_ROOT\txtfile\DefaultIcon). If so Outlook uses this icon as
the icon for the e-mail message.
1. If HP Software Update is reinstalled using the recovery solution, the procedure above must be repeated.
2. On a PC where HP Software Update is present, the procedure above must be followed even if HP Software Update is never used.
3. This resolution applies the Windows Registry kill bit to the following CLSIDs:
{60178279-6D62-43af-A336-77925651A4C6}
{DC4F9DA0-DB05-4BB0-8FB2-03A80FE98772}
{0C378864-D5C4-4D9C-854C-432E3BEC9CCB}
{93441C07-E57E-4086-B912-F323D741A9D8}
and import the following registry file for the corresponding version of
Office.
Office 2003:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Security\FileOpenBlock]
"HTMLFiles"=dword:00000001
Office 2007:
reg copy HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runs
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /s /f
5) Create the following registry keys, or registry file (.reg), execute and
reboot.
NOTE: After rebooting, you may find that any egress traffic that used to
prompt for access, now no longer prompts.
. 2011-03-30:
Core acknowledges receipt of the previous mail.
. 2011-04-05:
Vendor requests additional information: (i) a Watson bucket ID from
the crash, and (ii) whether the following registry key was set:
'[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Publisher]
"PromptForBadFiles"=dword:00000001'.
. 2011-04-06:
Core provides the bucket ID and responds that the registry key wasn't
Save the following text as a .REG file and imported to set the kill bit
for this controls:
+--------------------------------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{1E57C6C4-B069-11D3-8D43-00104B138C8C}]
"Compatibility Flags"=dword:00000400
To set the kill bit for the CLSID with a value of
{B8E73359-3422-4384-8D27-4EA1B4C01232}, paste the following text in a
text editor such as Notepad. Save the file using the .reg filename
extension.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B8E73359-3422-4384-8D27-4EA1B4C01232}]
"Compatibility Flags"=dword:04000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B8E73359-3422-4384-8D27-4EA1B4C01232}]
"Compatibility Flags"=dword:04000400
File Version: 8.1.0.0
Safe for Scripting (Registry): TRUE
Safe for Initialization: TRUE
The readRegVal() method allows to dump specific values from
the Windows registry.
Frome the typelib:
..
/* DISPID=1 */
/* VT_BSTR [8] */
Set the Killbit for NewV CLSID’s:
{0B68B7EB-02FF-4A41-BC14-3C303BB853F9}
.Reg file:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InternetExplorer\ActiveX Compatibility\{0B68B7EB-02FF-4A41-BC14-3C303BB853F9}]
"Compatibility Flags"=dword:00000400
-EOF-
Administrators can set the kill-bit for the vulnerable ActiveX control
with the following .reg file. This will prevent the control from
loading within Internet Explorer.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{E9880553-B8A7-4960-A668-95C68BED571E}]
"Compatibility Flags"=dword:00000400
Administrators can set the kill-bit for the vulnerable ActiveX control
with the following .reg file. This will prevent the control from
loading within Internet Explorer.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{53D40FAA-4E21-459f-AA87-E4D97FC3245A}]
"Compatibility Flags"=dword:00000400
https://www.rooms.hp.com
HP Virtual Rooms client v7.0.1 can be installed by using the "Test your setup" link at https://www.rooms.hp.com . Select "Test your setup" from the right navigation bar and follow the instructions.
Note: Installing this new release will also apply the Windows registry ‘kill bit’ for CLSID {00000032-9593-4264-8B29-930B3E4EDCCD}. The kill bit is explained in Microsoft article KB240797 or subsequent. http://support.microsoft.com/kb/240797 .
To completely remove HP Virtual rooms (HPVR) from your system:
Use the HPVR cleaner to remove HP Virtual Rooms from your system. The HPVR Cleaner will remove all HPVR executables and clear all registry entries – without the need to install the new version. Follow the instructions under "Removing HPVR components" here: https://www.rooms.hp.com/resources/ .
PRODUCT SPECIFIC INFORMATION
===============
1) Introduction
===============
Pegasus Mail (PMail) is suitable for single or multiple users on stand-alone computers and for internal and Internet mail on local area networks. Pegasus Mail has minimal system requirements compared with competing products, for instance the installed program (excluding mailboxes) for version 4.51 requires only around 13.5 MB of hard drive space. Since Pegasus Mail does not make changes to the Windows registry or the system directory, it is suitable as a portable application for USB drives. Language packs are available for languages other than English.
Some commentators have described Pegasus Mail as convoluted and cumbersome to configure, whereas others value Pegasus Mail for the features it offers. A key feature of Pegasus Mail is that it does not use the HTML layout engine that is installed with every Microsoft operating system since 1997: The ubiquity of the Microsoft engine, which is used not only by all Microsoft products but by numerous 3rd party products as well, makes it a frequent target of malware such as Melissa and ILOVEYOU. Mail clients such as Pegasus Mail that have their own HTML rendering engine are inherently immune to these security exploits. Pegasus Mail will also not execute automation commands (for example ActiveX or JavaScript) embedded in an e-mail, further reducing the chances of a security breach.
(from Wikipedia website)
Workaround #1: Users running AIM on Microsoft Windows XP SP2 or Windows
Server 2003 SP1 may implement Microsoft's "Internet Explorer Local Machine
Zone Lockdown" recommendations to mitigate risk. This will not fix the
reported bugs but will reduce the risk of exploitation significantly.
To enable Local Machine Zone Lockdown for your AIM client, go to the
following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Internet
Explorer\Main\FeatureControl\FEATURE_LocalMachine_Lockdown
Add a REG_DWORD value to this key named as the AIM client application (for
On 2010-03-08 Andrew Barkley wrote:
> The following illustrates how one can easily disable ZoneAlarm's
> security for whatever malevolent purposes. This "vector" so to speak,
> is merely "abusing" a particular branch of the Windows registry, by
> registering this security service as disabled. When "exploiting" this
> "vector" (administrative privileges are assumed
Anything starting with "a user with administrative privileges can ..."
is neither a vulnerability nor a design flaw. Administrators can by
design do anything they want on the system. Period.
Console.WriteLine("\nThe file named no-ip.txt is created\n");
}
private string getDUC()
{
RegistryKey ducKey = Registry.LocalMachine;
ducKey = ducKey.OpenSubKey(@"SOFTWARE\Vitalwerks\DUC", false);
String TrayPassword = DecodeBytes(ducKey.GetValue("TrayPassword").ToString());
String Username = ducKey.GetValue("Username").ToString();
String Password = DecodeBytes(ducKey.GetValue("Password").ToString());
String Hostnames = ducKey.GetValue("Hosts").ToString();
* Mail: glafkos@astalavista.com
* ishtus@astalavista.com
*
* Synopsis: Folder Lock 5.9.5 and older versions are prone to local information-disclosure vulnerability.
* Successfully exploiting this issue allows attackers to obtain potentially sensitive information that may aid in further attacks.
* The security issue is caused due to the application storing access credentials within the Windows registry key:
* (HKEY_CURRENT_USER\Software\Microsoft\Windows\QualityControl) without proper encryption.
* This can be exploited to disclose the encrypted _pack password of the user which is ROT-25 and reversed.
*
* Sample Output:
*
../1.png
2.
During the start of the application the value `OutputFolder` from the registry key
[HKEY_CURRENT_USER/Software/AnvSoft/Any Video Converter Ultimate/Setting/Output] is read.
The application does not validate the string length of the registry value before passing the content to a buffer, which could
lead to a unicode-based local buffer overflow.
Invalid parameter passed to C runtime function.
~~~~~~~~
2012-02-03 informed vendor
2012-02-03 vendor replies:
"The registry key and DLL are part of the Windows embedded
software package and their existence is expected."
.oO(OUCH! they must be joking...)
2012-02-04 informed vendor that SSOEXEC.DLL is NOT part of any Windows
found that the /Datapath argument can be included and directed to a remote SMB
share directly through a specially crafted Skype URI.
The Datapath argument specifies the location of the Skype configuration files and
security policy. Specifying a Datapath argument will override any local security
policy defined in the Windows registry.
A remote user is capable of crafting a link that when clicked, will spawn
Skype.exe on a client using a Datapath location which is present on a remote
SMB share. The Skype client will load any configuration or security policy
present, and save the users Skype account information to the remote share.
_______________
OneNote is included as part of office 2007, and provides an easy
way to store, manage, and share information.
OneNote installs a URL Handler under the registry key
HKEY_CLASSES_ROOT\OneNote
with an open command specified as
C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE /hyperlink "%1"
W2003 R2 (german, SP2) IE7, Adobe Reader 8.1
W2003 R2 with Citrix on top, IE7, Adobe Reader 8.1
This is also true for Terminal-Sessions.
Editing of the registry key as advised by Adobe works like advertised,
you just get an error message.
--
BYE Andreas
>
> after weeks of total ignorance by Microsoft I decided to finally
> release all information
> related to a bug, that has to do with the Windows XP SP2 Taskmanager.
> Manipulating
> a Registry key makes it possible to disable the Taskmgr. On the next
> startup it will crash with
> an error message. It is possible to backup the key and repair the
> Registry doing so, but
> the attack scenario is clear: A virus uses this code, the user can't
> open the Taskmgr anymore
after weeks of total ignorance by Microsoft I decided to finally
release all information
related to a bug, that has to do with the Windows XP SP2 Taskmanager.
Manipulating
a Registry key makes it possible to disable the Taskmgr. On the next
startup it will crash with
an error message. It is possible to backup the key and repair the
Registry doing so, but
the attack scenario is clear: A virus uses this code, the user can't
open the Taskmgr anymore
This particular control also has an additional prompt inquiring whether
or not the user wishes to allow an "Endpoint Analysis" scan. The options
presented are "Yes", "No", and "Always Allow". Clicking "Yes" or "Always
Allow" can lead to exploitation. Clicking "No" can not result in
exploitation. Also, clicking "Always Allow" will create a registry key
enabling automatic scanning for all future uses of the control.
IV. DETECTION
The following versions of Citrix Access Gateway Enterprise Edition are
life easier for the busy administrator. IMail Server also delivers a quick and easy installation or upgrade
process."
0x02 : Vulnerability Details
1. By default, IMail allows Internet Guest Account to have "Full Control" to the following registry key,
including its subkeys and values. As well as the default IMail directory:
HKEY_LOCAL_MACHINE\SOFTWARE\Ipswitch\IMail
C:\Program Files\Ipswitch\IMail\
2. The IMail password decryption algorithm implemented in IMailsec.dll is also reversible.
Next Page>>
|
