The NtLoadKeyEx system call allows an unprivileged user to load registry hives outside of the \Registry\A hidden attachment point which can be used to elevate privileges.
8d30ef721f9061806e06019063b62bba9b734dca044a593c1486cd66752e5a4cPoShFoTo is the PowerShell Forensics Toolkit, which contains a dozen PowerShell tools that allow you to do basic incident response and malware forensics. It includes Hex Dumper, Registry timeline generator, File timeline generator, and PE-block analyzer.
2516e4a082ce0e53db6d6ba8ddfba777505de06d31bfefcccdabcff2c0057a2biOS / OS X suffer from a kernel double free due to lack of locking in Iokit registry iterator manipulation.
8165a567612f28c0b556478f27c6f67dcb0caeb69b674c8e9e622681a9e157deAvira Registry Cleaner suffers from a local DLL hijacking vulnerability.
25dbcc7db394b17559de2ca3d0756be3cb74f12b5d2bde975cdaeb1e15c10f9dThe SySS GmbH found out that the admin password for protecting different functions of the Kaspersky Endpoint Security software, like managing backups or stopping protection services, is stored as raw, unsalted MD5 hash value in the Windows registry.
8a7c74b5cbb75ec15cb0f9a3938c69c29a10c97069f7ba7e4871500310fbc21cThe SySS GmbH found out that the administrator password for protecting different functions of the Kaspersky Anti-Virus software, like managing backups or stopping protection services, is stored as raw, unsalted MD5 hash value in the Windows registry.
ea3ba68c2445280d74bd945ec27706a66dc51e94a333bf175519fd2093dc8a5eThe SySS GmbH found out that the administrator password for protecting different functions of the Kaspersky Internet Security software, like managing backups or stopping protection services, is stored as raw, unsalted MD5 hash value in the Windows registry.
1de91bfb49d3f0e7cd83b46395378df631ea2882433f6e879dd0b109e920970eThe SySS GmbH found out that the administrator password for protecting different functions of the Kaspersky Total Security software, like managing backups or stopping protection services, is stored as raw, unsalted MD5 hash value in the Windows registry.
bb0133dfea19da32e1adc63779e910d52d60547b085a50a1b291be2d89764758The SySS GmbH found out that the administrator password for protecting different functions of the Kaspersky Small Office Security software, like managing backups or stopping protection services, is stored as raw, unsalted MD5 hash value in the Windows registry.
f9313aec301a7c3586f846924c4e87db8f5ea73a5ca80b220b990f5e9dca66c1This Metasploit module will install a payload that is executed during boot. It will be executed either at user logon or system startup via the registry value in "CurrentVersion\Run" (depending on privilege and selected method). The payload will be installed completely in registry.
41b0703a3928a8e079eb9c171583927b24819f1a2a9c5312653c3ebbad79ef30Red Hat Security Advisory 2015-1378-01 - Hivex is a library that can read and write Hive files, undocumented binary files that Windows uses to store the Windows Registry on disk. It was found that hivex attempted to read, and possibly write, beyond its allocated buffer when reading a hive file with a very small size or with a truncated or improperly formatted content. An attacker able to supply a specially crafted hive file to an application using the hivex library could possibly use this flaw to execute arbitrary code with the privileges of the user running that application.
9552a6c10dede58389b8ba49d93ef7d423a3f82b55153cec2c5d658997e970c4Red Hat Security Advisory 2015-0776-01 - Docker is a service providing container management on Linux. It was found that the fix for the CVE-2014-5277 issue was incomplete: the docker client could under certain circumstances erroneously fall back to HTTP when an HTTPS connection to a registry failed. This could allow a man-in-the-middle attacker to obtain authentication and image data from traffic sent from a client to the registry.
b89975366ee6328c10cdb0972ba6d35579d720825039dd0de3a5990c71892d7aRed Hat Security Advisory 2015-0301-02 - Hive files are undocumented binary files that Windows uses to store the Windows Registry on disk. Hivex is a library that can read and write to these files. It was found that hivex attempted to read beyond its allocated buffer when reading a hive file with a very small size or with a truncated or improperly formatted content. An attacker able to supply a specially crafted hive file to an application using the hivex library could possibly use this flaw to execute arbitrary code with the privileges of the user running that application.
d157985ac9e363a8bd82e75b100d91389201d883c15abd52ef4ed5c3ae2130abEMC Replication Manager and EMC AppSync may contain unquoted entries in the Windows registry service path that could potentially be exploited by an attacker to execute malicious programs. EMC Replication Manager versions prior to 5.5.2 and EMC AppSync versions prior to 2.1.0 are affected.
085263f786a21f962439f7e0b2485d5c2b8b4c228b270b346a074cd80a39f6bdThis Metasploit module exploits a vulnerability in Internet Explorer Sandbox which allows to escape the Enhanced Protected Mode and execute code with Medium Integrity. The vulnerability exists in the IESetProtectedModeRegKeyOnly function from the ieframe.dll component, which can be abused to force medium integrity IE to user influenced keys. By using registry symlinks it's possible force IE to add a policy entry in the registry and finally bypass Enhanced Protected Mode.
c9f9dc448204fe8efbcb3d05352d9e8dff208d0ff120536098d4e6f8b8305895CyberLink Power2Go Essential version 9.0.1002.0 suffers from a registry SEH/unicode buffer overflow vulnerability.
c4ad3ea0e0cf296b67878e6a6773f715ce52a1c11772efc0549219c883df125aRed Hat Security Advisory 2013-1525-01 - The openstack-glance packages provide a service that acts as a registry for virtual machine images. A flaw was found in the Glance download_image policy enforcement for cached system images. When an image was previously cached by an authorized download, any authenticated user able to determine the image by its UUID could download that image, bypassing the download_image policy. Only setups making use of the download_image policy were affected.
e0eb3f673d25b971dfa5e7bcb73d6d651ce3b1ffe95cdbb2b5cf1de8b7715300Red Hat Security Advisory 2013-0707-01 - These packages provide a service that acts as a registry for virtual machine images. An information leak flaw was found in the way Glance handled certain image requests. If caching were enabled, an authenticated user could use this flaw to obtain Glance's OpenStack Swift or Amazon Simple Storage Service credentials.
2b698bc3e63409f41d1caff8f398b1d32d1e55bb16d419834831e807857a9d21Red Hat Security Advisory 2013-0209-01 - These packages provide a service that acts as a registry for virtual machine images. It was found that when the OpenStack Glance front-end communicated with an OpenStack Swift endpoint, the operator credentials could be logged in plain text when certain errors occurred during new image creation. An authenticated user could use this flaw to gain administrative access to an OpenStack Swift endpoint. This issue was discovered by Dan Prince of Red Hat.
ba4d3ac81d1773f1bd03e0efea6e41920e0db7f02055379d11726b0c89f6dae9This Metasploit module checks the AlwaysInstallElevated registry keys which dictate if .MSI files should be installed with elevated privileges (NT AUTHORITY\SYSTEM). The default MSI file is data/exploits/exec_payload.msi with the WiX source file under external/source/exploits/exec_payload_msi/exec_payload.wxs. This MSI simply executes payload.exe within the same folder. The MSI may not execute successfully successive times, but may be able to get around this by regenerating the MSI. MSI can be rebuilt from the source using the WIX tool with the following commands: candle exec_payload.wxs light exec_payload.wixobj.
c7e98f972baf436cdfffebb9e430a37c5fe6f420bfd185f513efaf7d19a631e2Zoner Photo Studio version 15 build 3 (Zps.exe) registry value parsing local buffer overflow exploit.
c53242a37889f34cff9f519a6c111241471f745688fa36be001c3be8eb171446Radiography is a forensic tool which grabs as much information as possible from a Windows system. It checks registry keys related to start up processes, registry keys with Internet Explorer settings, host file contents, taskScheduler tasks, loaded system drivers, uses WinUnhide to catch hidden processes, and does much more.
be7394b4ce9a474ce4d3c0d3ddd25f7e3f4940ae86f346304bfb881bc6e41ad4PHP Gift Registry version 1.5.5 suffers from a remote SQL injection vulnerability.
4ac4aa8616e0e3980f8f8d7134ddd0f3313c957f363637fe93a4bd2f1459d278Red Hat Security Advisory 2011-1380-01 - These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. A flaw was found in the Java RMI registry implementation. A remote RMI client could use this flaw to execute arbitrary code on the RMI server running the registry. A flaw was found in the Java RMI registry implementation. A remote RMI client could use this flaw to execute code on the RMI server with unrestricted privileges.
8221a223c89ce2ea73be4fe52f25f9521f2857546e752765f878046db40237e1Digital forensics deals with the analysis of artifacts on all types of digital devices. One of the most prevalent analysis techniques performed is that of the registry hives contained in Microsoft Windows operating systems. Registry Decoder was developed with the purpose of providing a single tool for the acquisition, analysis, and reporting of registry contents.
0bf122d130ac2701097efb0279ea1770e47de47890bfe248c6efa066170e445e
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed