A previously unknown bug in Microsoft Windows would allow an attacker to spoof Windows dialog boxes that surface when making changes to the Windows registry. This would allow an adversary to plant malware or make other nefarious changes in the registry while getting around Windows’ built-in defenses, according to a researcher.
Normally when there is a change to the registry using a .reg file, a registry security warning dialog box will open, with an “are you sure you want to continue?” message and the option to click either “Yes” or “No.” According to white-hat researcher John Page (a.k.a. hyp3rlinx), it’s possible to edit what the dialog box says, to for instance swap the “yes” and “no” text on the buttons. So, when a user clicks “no,” the system actually receives a “yes” response.
“This can potentially trick unsavvy users into choosing the wrong selection shown on the dialog box,” Page explained in a write up Monday on the issue, adding that he created a proof-of-concept (POC) showing how to use the attack to plant a persistent remote code-execution backdoor onto a target computer.
For its part, Microsoft said that it would not be issuing a patch.
“The issue submitted does not meet the severity bar for servicing via a security update,” Jeff Jones, senior director at Microsoft, told Threatpost in an email.
“When a dangerous file type like .reg file can have its default security warnings and dialog behavior tampered with, this is to me a vulnerability and potential attack vector,” countered Page, speaking to Threatpost.
A Word on Windows Registry
The Windows registry is essentially a database repository that logs software and application configuration information, device drivers for hardware and other system information. It also logs any changes made to these.
“During the usage of the software or the hardware, the changes made to these configurations are updated in the registry,” according to Comodo. “Also, the changes made to Control Panel settings, file associations, Windows components and so on, during the use of the computer, are updated in the registry.”
It added, “The registry also serves as an index to the operation of the kernel, revealing run-time information of the system.”
As such, the registry is a critical factor for stability, reliability and performance of a computer, which makes it an attractive target for cybercriminals. As security firm Red Canary explained in a primer, “Since it is so ingrained into the operating start system, it’s a prime target for attacks and getting around standard security controls.”
Common attack vectors according to Red Canary include the use of registry keys to store and hide next-step code for malware after it has been dropped on a system. “Furthermore, the malware uses native Windows tools to perform its commands, so it is undetectable by signature-based security software such as antivirus,” the firm said.
Adversaries can also use program run keys and the Windows startup folder in order to create persistence on a victim endpoint; and, if the registry keys for a service are modified, “the ImagePath or binPath key can be modified to instead point to a malicious binary or a newly created one.” Not only does this allow for the malware to launch at Windows startup, but it can then be run under a local system account with elevated privileges.
Changes to the registry that would open the door to such attacks typically trigger a warning dialog box alerting the user that changes are being made – and they would need to click “yes” or “no” to allow the action to continue.
“When opening a Windows .reg file, User Account Control (UAC) will launch, asking the user if they want to allow the program to make changes to their computer,” Page told Threatpost. “This is like the first line of defense and requires the user to click through it, unless for some reason UAC has been turned off. So, Windows UAC helps to prevent unauthorized changes to the system.”
Page’s bug however allows attackers to get around this, he said.
The Attack
Registration files used by the Windows registry can be created from scratch by a user in the registry’s text editor; the issue is that Page uncovered that specially crafted .reg filenames can be created and used to spoof the default registry dialog warning box, “potentially making a user think they are canceling the registry import, as the security warning dialog box is now lying to them.”
As he told Threatpost. “I was able to spoof the Windows registry dialog box security warning messages displayed to the user by creating a .reg file, using certain encoded characters %n %1 %0 along with my message within the filename itself, e.g. ‘Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg. This enabled me to override the dialog warnings with my own instructions, basically telling the user to click ‘Yes’ instead of ‘No’ if they do not trust the file, making them think it will be cancelled when they click ‘Yes’.”
Furthermore, Page found that on Windows 10, it’s possible to hide the fact that the attack was successful.
“Normally when you import a .reg file, Windows will show another dialog giving you a ‘successful’ import message,” Page told Threatpost. “However, creating a (null) byte, in this case a ‘%1’ at the end of the injected message in the filename, prevents the dialog from appearing. Therefore, if the user clicks ‘Yes’ as instructed by our spoofed message in the first dialog box, it will do the registry import (but the user may think it aborted safely). The importance of suppressing that second dialog is the user will never be tipped off that anything happened as no secondary dialog box appeared which may have given more suspicions.”
The combination of the spoofed dialog box and the suppression of the secondary “successful import” message makes this a viable attack vector for delivering malware to Windows 10 machines, he said. In the proof-of-concept (video here), Page shows what can be done with an exploit; he was able to use the attack to add a persistent remote code execution backdoor during a social-engineering effort (a user would need to be convinced to click on a malicious link, accept a malicious file transfer or open a malicious attachment in an email to start the chain of attack).
The POC involves adding a registry entry to the “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe” file. When a user clicks opens the file, it executes a “persistent rundll32 payload targeting IE that references a JScript XML-based file on our remote server,” Page explained – and meanwhile, the security alert dialog boxes are spoofed and suppressed, so the user is none the wiser. In the POC, that XML file will execute whenever Microsoft Internet Explorer is launched.
“Just like malware that uses Run keys to achieve persistence in the registry by writing to it, we are doing the same thing here,” he said.
Because the attack requires user interaction, Microsoft told Threatpost that the main mitigation for the issue and other social-engineering techniques is for customers to practice safe computing habits online by not clicking on links, opening files or accepting file transfers from untrusted sources.