A previously unknown bug in Microsoft Windows would allow an attacker to spoof Windows dialog boxes that surface when making changes to the Windows registry. This would allow an adversary to plant malware or make other nefarious changes in the registry while getting around Windows’ built-in defenses, according to a researcher.
Normally when there is a change to the registry using a .reg file, a registry security warning dialog box will open, with an “are you sure you want to continue?” message and the option to click either “Yes” or “No.” According to white-hat researcher John Page (a.k.a. hyp3rlinx), it’s possible to edit what the dialog box says, to trick users into clicking “Yes.” For instance, an edited security prompt can tell them to click “Yes” to abort if they do not trust the source of the file. In reality, “Yes” clears the process to continue.
“This can potentially trick unsavvy users into choosing the wrong selection shown on the dialog box,” Page explained in a write up Monday on the issue, adding that he created a proof-of-concept (POC) showing how to use the attack to plant a persistent remote code-execution backdoor onto a target computer.
For its part, Microsoft said that it would not be issuing a patch.
“The issue submitted does not meet the severity bar for servicing via a security update,” Jeff Jones, senior director at Microsoft, told Threatpost in an email.
“When a dangerous file type like .reg file can have its default security warnings and dialog behavior tampered with, this is to me a vulnerability and potential attack vector,” countered Page, speaking to Threatpost.
A Word on Windows Registry
The Windows registry is essentially a database repository that logs software and application configuration information, device drivers for hardware and other system information. It also logs any changes made to these.
“During the usage of the software or the hardware, the changes made to these configurations are updated in the registry,” according to Comodo. “Also, the changes made to Control Panel settings, file associations, Windows components and so on, during the use of the computer, are updated in the registry.”
It added, “The registry also serves as an index to the operation of the kernel, revealing run-time information of the system.”
As such, the registry is a critical factor for stability, reliability and performance of a computer, which makes it an attractive target for cybercriminals. As security firm Red Canary explained in a primer, “Since it is so ingrained into the operating start system, it’s a prime target for attacks and getting around standard security controls.”
Common attack vectors according to Red Canary include the use of registry keys to store and hide next-step code for malware after it has been dropped on a system. “Furthermore, the malware uses native Windows tools to perform its commands, so it is undetectable by signature-based security software such as antivirus,” the firm said.
Adversaries can also use program run keys and the Windows startup folder in order to create persistence on a victim endpoint; and, if the registry keys for a service are modified, “the ImagePath or binPath key can be modified to instead point to a malicious binary or a newly created one.” Not only does this allow for the malware to launch at Windows startup, but it can then be run under a local system account with elevated privileges.
Changes to the registry that would open the door to such attacks typically trigger a warning dialog box alerting the user that changes are being made – and they would need to click “yes” or “no” to allow the action to continue.
The Attack
Registration files used by the Windows registry can be created from scratch by a user in the registry’s text editor; the issue is that Page uncovered that specially crafted .reg filenames can be created and used to spoof the default registry dialog warning box, “potentially making a user think they are canceling the registry import, as the security warning dialog box is now lying to them.”
As he told Threatpost. “I was able to spoof the Windows registry dialog box security warning messages displayed to the user by creating a .reg file, using certain encoded characters %n %1 %0 along with my message within the filename itself, e.g. ‘Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg. This enabled me to override the dialog warnings with my own instructions, basically telling the user to click ‘Yes’ instead of ‘No’ if they do not trust the file, making them think it will be cancelled when they click ‘Yes’.”
Furthermore, Page found that on Windows 10, it’s possible to hide the fact that the attack was successful.
“Normally when you import a .reg file, Windows will show another dialog giving you a ‘successful’ import message,” Page told Threatpost. “However, creating a (null) byte, in this case a ‘%1’ at the end of the injected message in the filename, prevents the dialog from appearing. Therefore, if the user clicks ‘Yes’ as instructed by our spoofed message in the first dialog box, it will do the registry import (but the user may think it aborted safely). The importance of suppressing that second dialog is the user will never be tipped off that anything happened as no secondary dialog box appeared which may have given more suspicions.”
The combination of the spoofed dialog box and the suppression of the secondary “successful import” message makes this a viable attack vector for delivering malware to Windows 10 machines, he said. In the proof-of-concept (video here), Page shows what can be done with an exploit; he was able to use the attack to add a persistent remote code execution backdoor.
The POC involves adding a registry entry to the “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe” file. When a user clicks opens the file, it executes a “persistent rundll32 payload targeting IE that references a JScript XML-based file on our remote server,” Page explained – and meanwhile, the security alert dialog boxes are spoofed and suppressed, so the user is none the wiser. In the POC, that XML file will execute whenever Microsoft Internet Explorer is launched.
“Just like malware that uses Run keys to achieve persistence in the registry by writing to it, we are doing the same thing here,” he said.
Windows UAC Interaction
When targeting users with administrative privileges, one potential hurdle for an adversary lies in the User Account Control (UAC) defense in Windows.
“When opening a Windows .reg file, UAC will launch, asking the user if they want to allow the program to make changes to their computer,” Page told Threatpost. “This is like the first line of defense and requires the user to click through it, unless for some reason UAC has been turned off. So, Windows UAC helps to prevent unauthorized changes to the system.”
It’s only once an administrative user has clicked “yes” to allow a program to make changes to the computer that the spoofable registry dialog box comes up. To be successful, an adversary would need to bypass this with a separate exploit or convince the user to click “yes” using a social-engineering tactic.
For non-admin “standard users” however, HKCU registry settings can still be hijacked without this obstacle.
“No UAC will launch when targeting a non-administrator user, so this will hijack a current users registry settings without UAC getting in the way, meaning the user will have not have to click thru UAC,” Page told Threatpost. “UAC is only a problem when targeting users running with administrator privileges.”
In this scenario, the registry .reg file script HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Test] “POC”=”666” will write to the current user’s registry settings, with no UAC interaction required if targeting a standard non-privileged user.
Because the attack can require user interaction, Microsoft told Threatpost that the main mitigation for this particular issue and other social-engineering techniques is for customers to practice safe computing habits online by not clicking on links, opening files or accepting file transfers from untrusted sources.