lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 16 Feb 2017 16:03:19 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <fulldisclosure@...lists.org>
Cc: bugtraq@...urityfocus.com
Subject: [FD] "long" filenames mishandled by Fujitsu's ScanSnap software

Hi @ll,

Fujitsu's ScanSnap software installers WinSSInstiX500WW1.exe
and WinSSInstS1100iWW1.exe, available from
<http://www.fujitsu.com/global/support/products/computing/peripheral/scanners/scansnap/software/ix500w-installer.html>
and
<http://www.fujitsu.com/global/support/products/computing/peripheral/scanners/scansnap/software/s1100i.html>,
execute C:\Program.exe multiple times near the end of the
installation process.
I'm VERY confident that the installers for other scanner models
show the same vulnerability.

Culprit is the program SSInst.exe, which fails to quote the command
lines
    C:\Program Files\PFU\ScanSnap\SSFolder\SSFolderTray.exe  /e /u
    C:\Program Files\PFU\ScanSnap\Driver\SsWizard\PfuSsConnectionWizard.exe  /ini
    C:\Program Files\PFU\ScanSnap\Driver\SsWifiTool\PfuSsWiFiToolStart.exe  /s
    C:\Program Files\PFU\ScanSnap\Driver\SsWizard\PfuSsConnectionWizard.exe  /SSType
properly; since SSInst.exe runs with administrative privileges,
C:\Program.exe is executed with administrative privileges too.

For this well-known and well-documented beginner's error see
<https://cwe.mitre.org/data/definitions/428.html> as well as
<https://msdn.microsoft.com/en-us/library/ms682425.aspx#Security_Remarks>

JFTR: Microsoft introduced "long" filenames more that 20 years ago.

Stay away from the crapware shipped with Fujitsu's scanners!


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2017-01-28    vulnerability report sent to vendor

              no reply, not even an acknowledgement of receipt

2017-02-05    vulnerability report resent to vendor

2017-02-06    vendor hotline forwards report to product team,
              asking for support

2017-02-08    mail from vendor's technical support, subject
              "Your Request from 08.02.2017"

              "Unfortunately this request can not be processed via
               this mailadress."

2017-02-09    which request?
              I did not send a request on 2017-02-08

2017-02-10    mail from vendor's technical support, subject
              "Your Request from 10.02.2017"

              "Sorry, this was a mistake from me.
               You get info about the security alert on Monday or
               Tuesday next weak."

2017-02-14    status request sent to vendor:
              "Tuesday has passed..."

2017-02-16    mail from vendor's technical support, subject
              "Your Request from 16.02.2017"

              "Unfortunately we can really not help in this case.
               Try to contact ... support team"

              No, I don't run around in circles!
              I contacted them already.

2017-02-16    report published

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ