The other class of vulnerability you can find in this area is tampering with registry
data consumed by a vulnerable parser. Software vendors will typically harden the parser
handling network data and file system data by fuzzing and code review, but you might
find the registry parsing security checks not quite as diligent. Attackers will go after vulnerable
parsers by writing data blobs to weakly ACL??™d registry keys.
???Read??? Disposition Permissions of a Windows Registry Key
KEY_QUERY_VALUE
KEY_ENUMERATE_SUB_KEYS
Depending on key, possible information disclosure. Might allow
attacker to read private data such as installed applications, file
system paths, etc.
GENERIC_READ Depending on key, possible information disclosure. Grants both
KEY_QUERY_VALUE and KEY_ENUMERATE_SUB_KEYS.
The registry does have some sensitive data that should be denied to untrusted users.
There is no clear elevation of privilege threat from read permissions on registry keys, but
the data gained might be useful in a two-stage attack. For example, you might be able to
read a registry key that discloses the path of a loaded DLL. Later, in the file system attacks
section, you might find that revealed location to have a weak DACL.
Attacking Weak Registry Key DACLs for Privilege Escalation
The attack is already described earlier in the enumeration section.
Pages:
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757