lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 4 Mar 2012 20:06:05 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>, <full-disclosure@...ts.grok.org.uk>
Cc: "Microsoft Security Response Center" <secure@...rosoft.com>
Subject: %windir%\temp\sso\ssoexec.dll (or: how trustworthy is Microsoft's build process)

Hi @ll,

the system image "\Setup\WIM\setup.wim" on the "POSReady 2009 eval CD",
available from the Microsoft Download Center under
<http://www.microsoft.com/downloads/en/details.aspx?FamilyID=1e077ece-3f19-4c41-b219-6fcc821fb5fc>,
contains the following registry entries:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SSOExec]
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Logoff"="SSOReset"
"Unlock"="SSOExec"
"Lock"="SSOReset"
"DLLName"="%windir%\\temp\\sso\\ssoexec.dll"


The directory "%windir%\temp" in the system image is but empty.


The presence of these registry entries is evidence that (one of) the
system(s) used to build and capture the POSReady 2009 evaluation system
image were infested with malware, and that either the infestation was not
detected at all (bad) or the infestation was detected, but incompletely
(or accidentially, when "%windir%\temp" was cleared) "removed" and a
compromised system used to build the system image (worse).

JFTR: MSFT initiated their "trustworthy computing" about 10 years ago!


To complete the picture: the ACLs on the directory "%windir%\temp" in
systems installed from this image/CD allow unprivileged users to create
a subdirectory "sso" in "%windir%\temp" and then the "ssoexec.dll",
allowing them to have their code run under every (other) user account
used to log on afterwards, resulting in a privilege escalation.


Timeline
~~~~~~~~

2012-02-03    informed vendor

2012-02-03    vendor replies:
              "The registry key and DLL are part of the Windows embedded
               software package and their existence is expected."

.oO(OUCH! they must be joking...)

2012-02-04    informed vendor that SSOEXEC.DLL is NOT part of any Windows
              software package

2012-02-06    vendor replies:
              "we are still looking and hope to provide clarification soon."

2012-02-06    vendor replies:
              "this reference in no way indicates there is or ever was a
               virus on our build systems."

2012-02-08    asked vendor to consider that both
              <http://www.bing.com/search?q=ssoexec> and
              <https://encrypted.google.com/search?num=100&safe=off&q=%22ssoexec%22+OR+%22ssoreset%22>
              only find hits that show problems with malware

2012-03-04    no more answer from vendor, report published


Stefan Kanthak

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ