registry keys
HMODULE g_hmMSHTML;
STDAPI DllUnregisterServer()
{
HKEY hkey, hkey2, hkey3;
if ( RegOpenKeyW( HKEY_LOCAL_MACHINE, L"SOFTWARE\\"
L"Classes\\CLSID", &hkey ) == ERROR_SUCCESS )
{
if ( RegOpenKeyW( hkey, IEBSFIX1_CLSID_W,
POC:
#include <windows.h>
typedef BOOL (WINAPI *INIT_REG_ENGINE)();
typedef LONG (WINAPI *BREG_DELETE_KEY)(HKEY hKey, LPCSTR lpSubKey);
typedef LONG (WINAPI *BREG_OPEN_KEY)(HKEY hKey, LPCSTR lpSubKey, PHKEY phkResult);
typedef LONG (WINAPI *BREG_CLOSE_KEY)(HKEY hKey);
typedef LONG (WINAPI *REG_SET_VALUE_EX)(HKEY hKey, LPCSTR lpValueName, DWORD Reserved, DWORD dwType, const BYTE* lpData, DWORD cbData);
BREG_DELETE_KEY BRegDeleteKey = NULL;
2) Then use the following 'brute-force' method to delete the "Run" key.
ZoneAlarm 'locks' "ZoneAlarm Client" (zclient.exe), which ultimately controls
& depends on "vsdatant.sys".
NOTE: There is a - prepended to [HKEY] this is intentional. You need to create
a registry file (.reg) with the following entries and execute.
NOTE: Creating & executing the following registry file (.reg), may cause
ZoneAlarm to panic, if so you may (or may not) see your ping replies.
The default AX control installation path is
C:\Program Files\Hewlett-Packard\HP Info Center
The control contains three potentially insecure methods:
VARIANT GetRegValue(String sHKey, String sectionName, String keyName);
void SetRegValue(String sHKey, String sSectionName, String sKeyName, String sValue);
void LaunchApp(String appPath, String params, int cmdShow);
The first and second method are used to access remote registry for read and write by the HP
update and configuration software. To access chosen registry key one must split its path
Office 2003:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Security\FileOpenBlock]
"HTMLFiles"=dword:00000001
Office 2007:
Windows Registry Editor Version 5.00
printf("KSWebShield KAVSafe.sys <= 2010,04,14,609\n"
"Kernel Mode Privilege Escalation Vulnerability Proof-of-Concept\n"
"2010-5-23\n"
"By Lincoin \n\nPress Enter");
HKEY hkey ;
WCHAR InstallPath[MAX_PATH];
DWORD datatype ;
DWORD datasize = MAX_PATH * sizeof(WCHAR);
ULONG oldlen ;
PVOID pOldBufferData = NULL ;
printf("KSWebShield KAVSafe.sys <= 2010,04,14,609\n"
"Kernel Mode Privilege Escalation Vulnerability Proof-of-Concept\n"
"2010-5-23\n"
"By Lincoin \n\nPress Enter");
HKEY hkey ;
WCHAR InstallPath[MAX_PATH];
DWORD datatype ;
DWORD datasize = MAX_PATH * sizeof(WCHAR);
ULONG oldlen ;
PVOID pOldBufferData = NULL ;
1. If HP Software Update is reinstalled using the recovery solution, the procedure above must be repeated.
2. On a PC where HP Software Update is present, the procedure above must be followed even if HP Software Update is never used.
3. This resolution applies the Windows Registry kill bit to the following CLSIDs:
{60178279-6D62-43af-A336-77925651A4C6}
{DC4F9DA0-DB05-4BB0-8FB2-03A80FE98772}
{0C378864-D5C4-4D9C-854C-432E3BEC9CCB}
{93441C07-E57E-4086-B912-F323D741A9D8}
for this controls:
+--------------------------------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{0C3874AA-AB39-4B5E-A768-45F3CE6C6819}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{E97EE6EB-7FBE-43B1-B6D8-C4D86C78C5A0}]
for this control:
+--------------------------------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{6CCE3920-3183-4B3D-808A-B12EB769DE12}]
"Compatibility Flags"=dword:00000400
+--------------------------------------
More information about how to set the kill bit is available in Microsoft
Disabling the 'VMnc' codec will prevent exploitation. In order to do so,
import the 'disable-vmnc-codec.reg' registry file as follows.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows
NT\CurrentVersion\Drivers32]
"VIDC.VMnc"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Drivers32]
"VIDC.VMnc"=-
with the following .reg file. This will prevent the control from
loading within Internet Explorer.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{E9880553-B8A7-4960-A668-95C68BED571E}]
"Compatibility Flags"=dword:00000400
VI. VENDOR RESPONSE
with the following .reg file. This will prevent the control from
loading within Internet Explorer.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{53D40FAA-4E21-459f-AA87-E4D97FC3245A}]
"Compatibility Flags"=dword:00000400
VI. VENDOR RESPONSE
for this controls:
+--------------------------------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{1E57C6C4-B069-11D3-8D43-00104B138C8C}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{45E66957-2932-432A-A156-31503DF0A681}]
.text:6DAA3D96 var_263 = byte ptr -263h
.text:6DAA3D96 ApplicationName = byte ptr -160h
.text:6DAA3D96 StartupInfo = _STARTUPINFOA ptr -5Ch
.text:6DAA3D96 ProcessInformation= _PROCESS_INFORMATION ptr -18h
.text:6DAA3D96 cbData = dword ptr -8
.text:6DAA3D96 hKey = dword ptr -4
.text:6DAA3D96 arg_0 = dword ptr 8
.text:6DAA3D96 arg_4 = dword ptr 0Ch
.text:6DAA3D96
.text:6DAA3D96 push ebp
.text:6DAA3D97 mov ebp, esp
privileges are required to exploit the flaw.
A malicious attacker can take advantage of these flaws to elevate
privileges in the following forms:
1. Creating, reading or writing arbitrary registry keys.
2. Overwriting arbitrary kernel addresses.
:: Files affected
V. WORKAROUND
Deleting the all sub-keys of the following registry keys will remove the
'news' and 'snews' protocol handlers:
HKEY_CLASSES_ROOT\news\shell
HKEY_CLASSES_ROOT\snews\shell
These keys may be restored under some circumstances. To prevent this
from occurring, Set the 'Deny Full Control' permission for the group
'Everyone' on the keys.
> V. WORKAROUND
>
> Deleting the all sub-keys of the following registry keys will remove the
> 'news' and 'snews' protocol handlers:
>
> HKEY_CLASSES_ROOT\news\shell
> HKEY_CLASSES_ROOT\snews\shell
If you want to do a thorough job of such mitigation as a Q&D fix, you
may also need to nuke the
https://www.rooms.hp.com
HP Virtual Rooms client v7.0.1 can be installed by using the "Test your setup" link at https://www.rooms.hp.com . Select "Test your setup" from the right navigation bar and follow the instructions.
Note: Installing this new release will also apply the Windows registry ‘kill bit’ for CLSID {00000032-9593-4264-8B29-930B3E4EDCCD}. The kill bit is explained in Microsoft article KB240797 or subsequent. http://support.microsoft.com/kb/240797 .
To completely remove HP Virtual rooms (HPVR) from your system:
Use the HPVR cleaner to remove HP Virtual Rooms from your system. The HPVR Cleaner will remove all HPVR executables and clear all registry entries – without the need to install the new version. Follow the instructions under "Removing HPVR components" here: https://www.rooms.hp.com/resources/ .
PRODUCT SPECIFIC INFORMATION
===============
1) Introduction
===============
Pegasus Mail (PMail) is suitable for single or multiple users on stand-alone computers and for internal and Internet mail on local area networks. Pegasus Mail has minimal system requirements compared with competing products, for instance the installed program (excluding mailboxes) for version 4.51 requires only around 13.5 MB of hard drive space. Since Pegasus Mail does not make changes to the Windows registry or the system directory, it is suitable as a portable application for USB drives. Language packs are available for languages other than English.
Some commentators have described Pegasus Mail as convoluted and cumbersome to configure, whereas others value Pegasus Mail for the features it offers. A key feature of Pegasus Mail is that it does not use the HTML layout engine that is installed with every Microsoft operating system since 1997: The ubiquity of the Microsoft engine, which is used not only by all Microsoft products but by numerous 3rd party products as well, makes it a frequent target of malware such as Melissa and ILOVEYOU. Mail clients such as Pegasus Mail that have their own HTML rendering engine are inherently immune to these security exploits. Pegasus Mail will also not execute automation commands (for example ActiveX or JavaScript) embedded in an e-mail, further reducing the chances of a security breach.
(from Wikipedia website)
Google Chrome 2.0.172.43
vulnerability:
through the vulnerable googleapps.url.mailto:// deprecated uri handler, registered as follows:
[HKEY_CLASSES_ROOT\GoogleApps.Url.mailto]
@="Google Apps URL"
"EditFlags"=hex:02,00,00,00
"FriendlyTypeName"="Google Apps URL"
"URL Protocol"=""
found that the /Datapath argument can be included and directed to a remote SMB
share directly through a specially crafted Skype URI.
The Datapath argument specifies the location of the Skype configuration files and
security policy. Specifying a Datapath argument will override any local security
policy defined in the Windows registry.
A remote user is capable of crafting a link that when clicked, will spawn
Skype.exe on a client using a Datapath location which is present on a remote
SMB share. The Skype client will load any configuration or security policy
present, and save the users Skype account information to the remote share.
On 2010-03-08 Andrew Barkley wrote:
> The following illustrates how one can easily disable ZoneAlarm's
> security for whatever malevolent purposes. This "vector" so to speak,
> is merely "abusing" a particular branch of the Windows registry, by
> registering this security service as disabled. When "exploiting" this
> "vector" (administrative privileges are assumed
Anything starting with "a user with administrative privileges can ..."
is neither a vulnerability nor a design flaw. Administrators can by
design do anything they want on the system. Period.
|
