lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <15744B6CD122466E836848E139F983D0@celsius>
Date: Sat, 16 Aug 2014 22:07:52 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: <fulldisclosure@...lists.org>
Subject: Beginners error: Apple's iCloudServices for Windows run rogue program C:\Program.exe  (and some more)

Hi @ll,

"C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe",
part of Apple's iCloudServices (see <https://www.apple.com/icloud/>), is
configured to be started as (COM) server via SvcHost.Exe.

Unfortunately the developers of this (COM) server (and of course their QA
too) did a lousy job and let their installer create the following erroneous
registry entries with a command line that contains an unquoted pathname:

[HKEY_CLASSES_ROOT\CLSID\{23ad9193-ebad-42bf-8d03-fec6331270f2}\LocalServer32]
@="C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudServices.exe"

[HKEY_CLASSES_ROOT\CLSID\{9e6e74c7-0e85-4d14-8851-7635e2c1c528}\LocalServer32]
@="C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudServices.exe"


The unquoted pathname results in the execution of one of the rogue programs
"C:\Program.exe", "C:\Program Files\Common.exe" or
"C:\Program Files\Common Files\Apple\Internet.exe" (on x86) resp.
"C:\Program.exe", "C:\Program Files.exe", "C:\Program Files (x86)\Common.exe"
or "C:\Program Files (x86)\Common Files\Apple\Internet.exe" (on x64) with
the rights of the logged on user.


JFTR: the other 3 registry entries created for this COM server dont show
      this beginners error and have the pathname properly quoted:

[HKEY_CLASSES_ROOT\CLSID\{1510187E-FE19-4F42-9C43-22C6E9E6AA67}\LocalServer32]
@="\"C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudServices.exe\""

[HKEY_CLASSES_ROOT\CLSID\{c1da7e1f-279b-4acd-9196-fc6ef7eb8e9e}\LocalServer32]
@="\"C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudServices.exe\""

[HKEY_CLASSES_ROOT\CLSID\{dd000cbd-67a6-423f-9132-1a2d0f76ead5}\LocalServer32]
@="\"C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudServices.exe\""


Since every user account created during Windows setup has administrative
rights every user owning such an account can create the rogue program(s),
resulting in a privilege escalation.

JFTR: no, the "user account control" is not a security boundary!

      From <http://support.microsoft.com/kb/2526083>:

| Same-desktop Elevation in UAC is not a security boundary and can be hijacked
| by unprivileged software that runs on the same desktop. Same-desktop
| Elevation should be considered a convenience feature, and from a security
| perspective, "Protected Administrator" should be considered the equivalent
| of "Administrator."


JFTR: iCloudServices ships with even older outdated and vulnerable 3rd party
       (open source) libraries than iTunes, see
      <http://seclists.org/fulldisclosure/2014/Jul/30>

      - libxslt.dll 1.0.9.0
      - libxml2.dll 2.1.13.0
      - icuuc40.dll, icuin40.dll, icudt46.dll. libicuin.dll, libicuuc.dll 4.6.1.0


regards
Stefan Kanthak


PS: the obvious and trivial fix: edit the 2 erroneous command lines and
    add the missing quotes. But dont forget to fix them after every update
    of Apple's crap for Windows.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ