lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 21 Aug 2013 20:20:31 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: <full-disclosure@...ts.grok.org.uk>
Subject: Windows Embedded POSReady 2009: cruft, not craft

Hi,

the cruft in the evaluation version of Windows Embedded POSReady 2009
(see <http://seclists.org/fulldisclosure/2012/Mar/17>) is not only
present there, but also in systems built with Microsofts official
"OEM preinstallation kit", distributed as DVD X15-28127.

Result: all these embedded systems are susceptible to a trivial to
exploit privilege escalation!


BUT: there is more garbage in Windows Embedded POSReady 2009!

[HKEY_LOCAL_MACHINE\SOFTWARE\3Com\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\ATI Technologies\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\Aureal\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\BCMDM\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\Brother\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\Creative Tech\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\Digi\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\Generic\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\GenericSoftModemUninstallInfo\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\Intel\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\Logitech\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\Lucent\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\Neomagic\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\PCTEL\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\S3\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\Specialix\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\TOSHIBA\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\Vid_0471\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\Vid_05A9\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\VN_VUIns\...]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4}]
@="GraphicsShellExt Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4}\InProcServer32]
@="C:\\WINDOWS\\system32\\igfxpph.dll"
...

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0160-6129-11d7-8dc7-00d0b72c72f7}]
@="S3Display Property Sheet"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0160-6129-11d7-8dc7-00d0b72c72f7}\InProcServer32]
@="VTDisply.dll"
...

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0161-6129-11d7-8dc7-00d0b72c72f7}]
@="S3Gamma2 Property Sheet"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0161-6129-11d7-8dc7-00d0b72c72f7}\InProcServer32]
@="VTGamma2.dll"
...

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0162-6129-11d7-8dc7-00d0b72c72f7}]
@="S3Info2 Property Sheet"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0162-6129-11d7-8dc7-00d0b72c72f7}\InProcServer32]
@="VTInfo2.dll"
...

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0163-6129-11d7-8dc7-00d0b72c72f7}]
@="S3Overlay Property Sheet"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0163-6129-11d7-8dc7-00d0b72c72f7}\InProcServer32]
@="VTOvrlay.dll"
...

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ba87e880-5a57-11d3-bfcb-00aa0022f394}]
@="S3ConfigD3D Property Sheet"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ba87e880-5a57-11d3-bfcb-00aa0022f394}\InProcServer32]
@="S3Cfg3d.dll"
...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\igfxcui]
@="{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\S3Config3D]
@="{ba87e880-5a57-11d3-bfcb-00aa0022f394}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\S3Display]
@="{300b0160-6129-11d7-8dc7-00d0b72c72f7}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\S3Gamma2]
@="{300b0161-6129-11d7-8dc7-00d0b72c72f7}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\S3Info2]
@="{300b0162-6129-11d7-8dc7-00d0b72c72f7}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\S3Overlay]
@="{300b0163-6129-11d7-8dc7-00d0b72c72f7}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\VTConfig3D]
@="{ba87e880-5a57-11d3-bfcb-00aa0022f394}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\VTDisplay]
@="{300b0160-6129-11d7-8dc7-00d0b72c72f7}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\VTGamma2]
@="{300b0161-6129-11d7-8dc7-00d0b72c72f7}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\VTInfo2]
@="{300b0162-6129-11d7-8dc7-00d0b72c72f7}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\VTOverlay]
@="{300b0163-6129-11d7-8dc7-00d0b72c72f7}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VModes"="VModes UpdateRegistryOnly"
"VTTrayp"="VTtrayp.exe"
"VTTimer"="VTTimer.exe"
"S3Trayp"="S3trayp.exe"
"Persistence"="C:\\WINDOWS\\system32\\igfxpers.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"TrackPointSrv"="tp4mon.exe"
"USBC"="C:\\WINDOWS\\system32\\wscript.exe C:\\WINDOWS\\system32\\drivers\\netusbc.vbs"
"XeroxScannerDaemon"="C:\\Program Files\\Xerox\\NWWia\\XrxFTPLt.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ati HotKey Poller]
"Start"=dword:00000002
"Type"=dword:00000110
"ErrorControl"=dword:00000001
"ImagePath"=expand:"system32\\atievxx.exe"
"ObjectName"="LocalSystem"
"Group"="Event log"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\AssetManagement]
"EventMessageFile"=expand:"C:\\WINDOWS\\system32\\CCM\\ccm_caltrack.dll"
"TypesSupported"=dword:00000007

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\LiveMeeting]
"TypesSupported"=dword:00000007
"EventMessageFile"=expand:"C:\\PROGRA~1\\MICROS~3\\LIVEME~1\\Console\\MUI\\0409\\UCCPRES.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\SmsClient]
"EventMessageFile"=expand:"C:\\WINDOWS\\system32\\CCM\\climsgs.dll"
"TypesSupported"=dword:00000007

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Pctspk]
"Start"=dword:00000002
"Type"=dword:00000010
"ErrorControl"=dword:00000001
"ImagePath"=expand:"system32\\pctspk.exe"
"DisplayName"="PCTEL Speaker Phone"


Needless to say: all the files referenced in this debris are NOT present
in the system image, and all the device drivers who had registry keys
created under [HKEY_LOCAL_MACHINE\SOFTWARE\%vendor%] are missing too.

Whoever built this system image apparently did not start from a clean
environment, installed superfluous components like "LiveMeeting Console"
and "System Center Configuration Management Client", used unsuitable
tools to integrate 3rd-party drivers, and used unsuitable tools to
prepare it for deployment.

Is this trustworthy computing? Software engineering? Due diligence?
And what about quality assurance?

JFTR: the unqualified filenames used in this cruft are nice targets for
      binary planting attacks!


stay tuned
Stefan Kanthak

Powered by blists - more mailing lists