lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5A3336EB162B476390890220045D12B3@localhost>
Date: Mon, 25 Jun 2012 21:19:52 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: OpenLimit Reader for Windows contains completely
	outdated, superfluous and VULNERABLE system components

Hi @ll,

the OpenLimit reader (<https://www.openlimit.com/en/products/reader.html>
and <https://www.openlimit.com/en/products/reader/download-reader.html>),
an application aimed to provide security by validating X.509 signatures
and signing PDFs inside Adobe Reader, contains completely outdated,
superfluous and vulnerable components, which comprise 40% (SIC!) of the
whole installation package!


JFTR: the downloadable self-extracting setup program "OLReader2502_DE.exe"
      as well as the contained files (SETUP.EXE, SCSetup\WS*.DLL) are all
      signed with an X.509 certificate valid until 2012-05-26T23:59:59Z.

      Fortunately some wise guy but missed to time-stamp the signed files,
      Windows treats the signature as invalid since 2012-05-27T00:00:00Z.-P


According to it's manufacturer, this application supports Windows 2000
and later versions.

The self-extracting setup program "OLReader2502_DE.exe" extracts the
following 3rd party files (ALL are updates/installers from Microsoft)
into "%TEMP%\SignCubesInstall":


INSTMSI.EXE     12.0.2600.2 from 2002-02-19

    the installation package of "Microsoft Installer 2.0".

    A newer version of Microsoft installer is part of ALL supported
    versions of Windows, this package MUST NOT be run there; cf.
    <http://msdn.microsoft.com/en-us/library/aa369548.aspx>!


INSTMSIW.EXE     6.0.2448.0 from 2002-02-19

    the installation package of "Microsoft Installer 2.0" for the
    unsupported platforms Windows 9x/ME!


OUT128.EXE       5.5.3131.1 from 2000-12-02

    a superseded patch for the unsupported Outlook 2000.


SCBASE_D.EXE     4.71.1015.0 from 1998-04-17

    a superseded patch for the unsupported platforms Windows NT4 and
    Windows 9x for the installation of the "Microsoft Win32 Smart Card
    Base Components v1.0".

    A newer version of this component is part of ALL supported versions
    of Windows!


ATL.MSI

    a superseded installer, containing two outdated and vulnerable

        ATL.DLL      3.0.8449.0  from 2000-11-02

    for the unsupported platforms Windows NT4 and Windows 9x.

    A newer version of this file is part of ALL supported versions
    of Windows and MUST NOT be redistributed or installed there; cf.
    <http://msdn.microsoft.com/en-us/library/ms954376.aspx>!


COMCAT.MSI (TOTALLY superfluous, since contained in other *.MSI too!)

    a superseded installer, containing the outdated and vulnerable

        COMCAT.DLL    4.71.1460.1 from 1998-12-09

    for the unsupported platform Windows NT4.

    A newer version of this file is part of ALL supported versions
    of Windows and MUST NOT be redistributed or installed there!


COMCT232.MSI (TOTALLY superfluous, since contained in other *.MSI too!)

    a superseded installer, containing the outdated and vulnerable

        COMCT232.OCX  6.0.80.22   from 1998-06-24
        OLEAUT32.DLL  2.40.4275.1 from 2000-04-12
        ASYCFILT.DLL  2.40.4275.1 from 1999-03-08
        OLEPRO32.DLL  5.0.4275.1  from 1999-03-08
        STDOLE2.TLB   2.40.4275.1 from 2000-03-28
        COMCAT.DLL    4.71.1460.1 from 1998-12-09

    for the unsupported platforms Windows NT4 and Windows 9x.

    Newer versions of these files are part of ALL supported versions
    of Windows and MUST NOT be redistributed or installed there!


COMCT332.MSI

    a superseded installer, containing the outdated and vulnerable

        COMCT332.OCX  6.7.0.8988  from 2000-12-06
        OLEAUT32.DLL  2.40.4275.1 from 2000-04-12
        ASYCFILT.DLL  2.40.4275.1 from 1999-03-08
        OLEPRO32.DLL  5.0.4275.1  from 1999-03-08
        STDOLE2.TLB   2.40.4275.1 from 2000-03-28
        COMCAT.DLL    4.71.1460.1 from 1998-12-09

    for the unsupported platforms Windows NT4 and Windows 9x.

    Newer versions of these files are part of ALL supported versions
    of Windows and MUST NOT be redistributed or installed there!


COMCTL32.MSI

    a superseded installer, containing the outdated and vulnerable

        COMCTL32.OCX  6.0.81.5    from 2000-05-23
        OLEAUT32.DLL  2.40.4275.1 from 2000-04-12
        ASYCFILT.DLL  2.40.4275.1 from 1999-03-08
        OLEPRO32.DLL  5.0.4275.1  from 1999-03-08
        STDOLE2.TLB   2.40.4275.1 from 2000-03-28
        COMCAT.DLL    4.71.1460.1 from 1998-12-09

    for the unsupported platforms Windows NT4 and Windows 9x.

    Newer versions of these files are part of ALL supported versions
    of Windows and MUST NOT be redistributed or installed there!


COMDLG32.MSI

    a superseded installer, containing the outdated and vulnerable

        COMDLG32.OCX  6.0.84.18   from 2000-05-23
        OLEAUT32.DLL  2.40.4275.1 from 2000-04-12
        ASYCFILT.DLL  2.40.4275.1 from 1999-03-08
        OLEPRO32.DLL  5.0.4275.1  from 1999-03-08
        STDOLE2.TLB   2.40.4275.1 from 2000-03-28
        COMCAT.DLL    4.71.1460.1 from 1998-12-09

    for the unsupported platforms Windows NT4 and Windows 9x.

    Newer versions of these files are part of ALL supported versions
    of Windows and MUST NOT be redistributed or installed there!


MFC42.MSI

    a superseded installer, containing the outdated and vulnerable

        MFC42.DLL     6.0.8665.0  from 2000-04-06
        MSVCRT.DLL    6.0.8797.0  from 2000-04-06
        OLEAUT32.DLL  2.40.4275.1 from 2000-04-12
        ASYCFILT.DLL  2.40.4275.1 from 1999-03-08
        OLEPRO32.DLL  5.0.4275.1  from 1999-03-08
        STDOLE2.TLB   2.40.4275.1 from 2000-03-28
        COMCAT.DLL    4.71.1460.1 from 1998-12-09

    for the unsupported platforms Windows NT4 and Windows 9x.

    Newer versions of these files are part of ALL supported versions
    of Windows and MUST NOT be redistributed or installed there!


MSCOMCT2.MSI   (replaced the older COMCT232.MSI!)

    a superseded installer, containing the outdated and vulnerable

        COMCT232.OCX  6.0.88.4    from 2000-05-23
        OLEAUT32.DLL  2.40.4275.1 from 2000-04-12
        ASYCFILT.DLL  2.40.4275.1 from 1999-03-08
        OLEPRO32.DLL  5.0.4275.1  from 1999-03-08
        STDOLE2.TLB   2.40.4275.1 from 2000-03-28
        COMCAT.DLL    4.71.1460.1 from 1998-12-09

    for the unsupported platforms Windows NT4 and Windows 9x.

    Newer versions of these files are part of ALL supported versions
    of Windows and MUST NOT be redistributed or installed there!


MSCOMCTL.MSI

    a superseded installer, containing the outdated and vulnerable

        MSCOMCTL.OCX  6.0.88.62   from 2000-05-23
        OLEAUT32.DLL  2.40.4275.1 from 2000-04-12
        ASYCFILT.DLL  2.40.4275.1 from 1999-03-08
        OLEPRO32.DLL  5.0.4275.1  from 1999-03-08
        STDOLE2.TLB   2.40.4275.1 from 2000-03-28
        COMCAT.DLL    4.71.1460.1 from 1998-12-09

    for the unsupported platforms Windows NT4 and Windows 9x.

    Newer versions of these files are part of ALL supported versions
    of Windows and MUST NOT be redistributed or installed there!


MSVBVM60.MSI

    a superseded installer, containing the outdated and vulnerable

        MSVBVM60.DLL  6.0.89.64   from 2000-11-08
        OLEAUT32.DLL  2.40.4275.1 from 2000-04-12
        ASYCFILT.DLL  2.40.4275.1 from 1999-03-08
        OLEPRO32.DLL  5.0.4275.1  from 1999-03-08
        STDOLE2.TLB   2.40.4275.1 from 2000-03-28
        COMCAT.DLL    4.71.1460.1 from 1998-12-09

    for the unsupported platforms Windows NT4 and Windows 9x.

    Newer versions of these files are part of ALL supported versions
    of Windows and MUST NOT be redistributed or installed there!


MSVCIRT.MSI

    a superseded installer, containing the outdated and vulnerable

        MSVCRT.DLL    6.0.8797.0  from 2000-04-06
        MSVCIRT.DLL   6.0.8168.0  from 2000-04-06

    for the unsupported platforms Windows NT4 and Windows 9x.

    Newer versions of these files are part of ALL supported versions
    of Windows and MUST NOT be redistributed or installed there!


MSVCP60.MSI

    a superseded installer, containing the outdated and vulnerable

        MSVCRT.DLL    6.0.8797.0  from 2000-04-06
        MSVCP60.DLL   6.0.8972.0  from 2000-08-29

    for the unsupported platforms Windows NT4 and Windows 9x.

    Newer versions of these files are part of ALL supported versions
    of Windows and MUST NOT be redistributed or installed there!


MSVCRT.MSI (TOTALLY superfluous, since contained in other *.MSI too!)

    a superseded installer, containing the outdated and vulnerable

        MSVCRT.DLL    6.0.8797.0  from 2000-04-06

    for the unsupported platforms Windows NT4 and Windows 9x.

    A newer version of this file is part of ALL supported versions
    of Windows and MUST NOT be redistributed or installed there!


OLEAUT32.MSI (TOTALLY superfluous, since contained in other *.MSI too!)

    a superseded installer, containing the outdated and vulnerable

        OLEAUT32.DLL  2.40.4275.1 from 2000-04-12
        ASYCFILT.DLL  2.40.4275.1 from 1999-03-08
        OLEPRO32.DLL  5.0.4275.1  from 1999-03-08
        STDOLE2.TLB   2.40.4275.1 from 2000-03-28

    for the unsupported platforms Windows NT4 and Windows 9x.

    Newer versions of these files are part of ALL supported versions
    of Windows and MUST NOT be redistributed or installed there!


Fortunately the "Windows File Protection" fixes most of the damage done
by the installation of this piece of crap^W^W^Wwell engineered software
and restores the overwritten system files.


On Windows 5.x the following overwritten registry entries are but NOT
fixed:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BE35200-8F91-11CE-9DE3-00AA004BB851}\InProcServer32]
@="C:\\WINDOWS\\system32\\MFC42.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BE35201-8F91-11CE-9DE3-00AA004BB851}\InProcServer32]
@="C:\\WINDOWS\\system32\\MFC42.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BE35202-8F91-11CE-9DE3-00AA004BB851}\InProcServer32]
@="C:\\WINDOWS\\system32\\MFC42.DLL"

MFC42.DLL is the ANSI version of this system DLL, suitable for Windows
9x/ME. Windows NT* but needs the UNICODE version of this DLL, named
MFC42U.DLL. As result, UNICODE programs which use MFC42.DLL will fail!


To complete the sad story: before the installation ALL system DLLs were
registered with their fully qualified pathnames and were not vulnerable
to "binary planting" attacks (<http://support.microsoft.com/kb/2269637>
and <http://support.microsoft.com/kb/2264107>).


After the installation, the Windows installation was vulnerable again
(modulo the "Known DLLs"):

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0000002F-0000-0000-C000-000000000046}\InProcServer32]
@="oleaut32.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InProcServer]
@="ole2disp.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InProcServer32]
@="oleaut32.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InProcServer]
@="ole2disp.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InProcServer32]
@="oleaut32.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InProcServer]
@="ole2disp.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InProcServer32]
@="oleaut32.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InProcServer]
@="ole2disp.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InProcServer32]
@="oleaut32.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InProcServer]
@="ole2disp.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InProcServer32]
@="oleaut32.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InProcServer]
@="ole2disp.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InProcServer32]
@="oleaut32.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BE35203-8F91-11CE-9DE3-00AA004BB851}\InProcServer32]
@="oleaut32.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InProcServer32]
@="oleaut32.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46763EE0-CAB2-11CE-8C20-00AA0051E5D4}\InProcServer32]
@="oleaut32.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InProcServer32]
@="oleaut32.dll"


Stefan Kanthak


Timeline:

2012-05-19    vendor informed

       ... no reaction until

2012-06-25    report published

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ