[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5A3336EB162B476390890220045D12B3@localhost>
Date: Mon, 25 Jun 2012 21:19:52 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: OpenLimit Reader for Windows contains completely
outdated, superfluous and VULNERABLE system components
Hi @ll,
the OpenLimit reader (<https://www.openlimit.com/en/products/reader.html>
and <https://www.openlimit.com/en/products/reader/download-reader.html>),
an application aimed to provide security by validating X.509 signatures
and signing PDFs inside Adobe Reader, contains completely outdated,
superfluous and vulnerable components, which comprise 40% (SIC!) of the
whole installation package!
JFTR: the downloadable self-extracting setup program "OLReader2502_DE.exe"
as well as the contained files (SETUP.EXE, SCSetup\WS*.DLL) are all
signed with an X.509 certificate valid until 2012-05-26T23:59:59Z.
Fortunately some wise guy but missed to time-stamp the signed files,
Windows treats the signature as invalid since 2012-05-27T00:00:00Z.-P
According to it's manufacturer, this application supports Windows 2000
and later versions.
The self-extracting setup program "OLReader2502_DE.exe" extracts the
following 3rd party files (ALL are updates/installers from Microsoft)
into "%TEMP%\SignCubesInstall":
INSTMSI.EXE 12.0.2600.2 from 2002-02-19
the installation package of "Microsoft Installer 2.0".
A newer version of Microsoft installer is part of ALL supported
versions of Windows, this package MUST NOT be run there; cf.
<http://msdn.microsoft.com/en-us/library/aa369548.aspx>!
INSTMSIW.EXE 6.0.2448.0 from 2002-02-19
the installation package of "Microsoft Installer 2.0" for the
unsupported platforms Windows 9x/ME!
OUT128.EXE 5.5.3131.1 from 2000-12-02
a superseded patch for the unsupported Outlook 2000.
SCBASE_D.EXE 4.71.1015.0 from 1998-04-17
a superseded patch for the unsupported platforms Windows NT4 and
Windows 9x for the installation of the "Microsoft Win32 Smart Card
Base Components v1.0".
A newer version of this component is part of ALL supported versions
of Windows!
ATL.MSI
a superseded installer, containing two outdated and vulnerable
ATL.DLL 3.0.8449.0 from 2000-11-02
for the unsupported platforms Windows NT4 and Windows 9x.
A newer version of this file is part of ALL supported versions
of Windows and MUST NOT be redistributed or installed there; cf.
<http://msdn.microsoft.com/en-us/library/ms954376.aspx>!
COMCAT.MSI (TOTALLY superfluous, since contained in other *.MSI too!)
a superseded installer, containing the outdated and vulnerable
COMCAT.DLL 4.71.1460.1 from 1998-12-09
for the unsupported platform Windows NT4.
A newer version of this file is part of ALL supported versions
of Windows and MUST NOT be redistributed or installed there!
COMCT232.MSI (TOTALLY superfluous, since contained in other *.MSI too!)
a superseded installer, containing the outdated and vulnerable
COMCT232.OCX 6.0.80.22 from 1998-06-24
OLEAUT32.DLL 2.40.4275.1 from 2000-04-12
ASYCFILT.DLL 2.40.4275.1 from 1999-03-08
OLEPRO32.DLL 5.0.4275.1 from 1999-03-08
STDOLE2.TLB 2.40.4275.1 from 2000-03-28
COMCAT.DLL 4.71.1460.1 from 1998-12-09
for the unsupported platforms Windows NT4 and Windows 9x.
Newer versions of these files are part of ALL supported versions
of Windows and MUST NOT be redistributed or installed there!
COMCT332.MSI
a superseded installer, containing the outdated and vulnerable
COMCT332.OCX 6.7.0.8988 from 2000-12-06
OLEAUT32.DLL 2.40.4275.1 from 2000-04-12
ASYCFILT.DLL 2.40.4275.1 from 1999-03-08
OLEPRO32.DLL 5.0.4275.1 from 1999-03-08
STDOLE2.TLB 2.40.4275.1 from 2000-03-28
COMCAT.DLL 4.71.1460.1 from 1998-12-09
for the unsupported platforms Windows NT4 and Windows 9x.
Newer versions of these files are part of ALL supported versions
of Windows and MUST NOT be redistributed or installed there!
COMCTL32.MSI
a superseded installer, containing the outdated and vulnerable
COMCTL32.OCX 6.0.81.5 from 2000-05-23
OLEAUT32.DLL 2.40.4275.1 from 2000-04-12
ASYCFILT.DLL 2.40.4275.1 from 1999-03-08
OLEPRO32.DLL 5.0.4275.1 from 1999-03-08
STDOLE2.TLB 2.40.4275.1 from 2000-03-28
COMCAT.DLL 4.71.1460.1 from 1998-12-09
for the unsupported platforms Windows NT4 and Windows 9x.
Newer versions of these files are part of ALL supported versions
of Windows and MUST NOT be redistributed or installed there!
COMDLG32.MSI
a superseded installer, containing the outdated and vulnerable
COMDLG32.OCX 6.0.84.18 from 2000-05-23
OLEAUT32.DLL 2.40.4275.1 from 2000-04-12
ASYCFILT.DLL 2.40.4275.1 from 1999-03-08
OLEPRO32.DLL 5.0.4275.1 from 1999-03-08
STDOLE2.TLB 2.40.4275.1 from 2000-03-28
COMCAT.DLL 4.71.1460.1 from 1998-12-09
for the unsupported platforms Windows NT4 and Windows 9x.
Newer versions of these files are part of ALL supported versions
of Windows and MUST NOT be redistributed or installed there!
MFC42.MSI
a superseded installer, containing the outdated and vulnerable
MFC42.DLL 6.0.8665.0 from 2000-04-06
MSVCRT.DLL 6.0.8797.0 from 2000-04-06
OLEAUT32.DLL 2.40.4275.1 from 2000-04-12
ASYCFILT.DLL 2.40.4275.1 from 1999-03-08
OLEPRO32.DLL 5.0.4275.1 from 1999-03-08
STDOLE2.TLB 2.40.4275.1 from 2000-03-28
COMCAT.DLL 4.71.1460.1 from 1998-12-09
for the unsupported platforms Windows NT4 and Windows 9x.
Newer versions of these files are part of ALL supported versions
of Windows and MUST NOT be redistributed or installed there!
MSCOMCT2.MSI (replaced the older COMCT232.MSI!)
a superseded installer, containing the outdated and vulnerable
COMCT232.OCX 6.0.88.4 from 2000-05-23
OLEAUT32.DLL 2.40.4275.1 from 2000-04-12
ASYCFILT.DLL 2.40.4275.1 from 1999-03-08
OLEPRO32.DLL 5.0.4275.1 from 1999-03-08
STDOLE2.TLB 2.40.4275.1 from 2000-03-28
COMCAT.DLL 4.71.1460.1 from 1998-12-09
for the unsupported platforms Windows NT4 and Windows 9x.
Newer versions of these files are part of ALL supported versions
of Windows and MUST NOT be redistributed or installed there!
MSCOMCTL.MSI
a superseded installer, containing the outdated and vulnerable
MSCOMCTL.OCX 6.0.88.62 from 2000-05-23
OLEAUT32.DLL 2.40.4275.1 from 2000-04-12
ASYCFILT.DLL 2.40.4275.1 from 1999-03-08
OLEPRO32.DLL 5.0.4275.1 from 1999-03-08
STDOLE2.TLB 2.40.4275.1 from 2000-03-28
COMCAT.DLL 4.71.1460.1 from 1998-12-09
for the unsupported platforms Windows NT4 and Windows 9x.
Newer versions of these files are part of ALL supported versions
of Windows and MUST NOT be redistributed or installed there!
MSVBVM60.MSI
a superseded installer, containing the outdated and vulnerable
MSVBVM60.DLL 6.0.89.64 from 2000-11-08
OLEAUT32.DLL 2.40.4275.1 from 2000-04-12
ASYCFILT.DLL 2.40.4275.1 from 1999-03-08
OLEPRO32.DLL 5.0.4275.1 from 1999-03-08
STDOLE2.TLB 2.40.4275.1 from 2000-03-28
COMCAT.DLL 4.71.1460.1 from 1998-12-09
for the unsupported platforms Windows NT4 and Windows 9x.
Newer versions of these files are part of ALL supported versions
of Windows and MUST NOT be redistributed or installed there!
MSVCIRT.MSI
a superseded installer, containing the outdated and vulnerable
MSVCRT.DLL 6.0.8797.0 from 2000-04-06
MSVCIRT.DLL 6.0.8168.0 from 2000-04-06
for the unsupported platforms Windows NT4 and Windows 9x.
Newer versions of these files are part of ALL supported versions
of Windows and MUST NOT be redistributed or installed there!
MSVCP60.MSI
a superseded installer, containing the outdated and vulnerable
MSVCRT.DLL 6.0.8797.0 from 2000-04-06
MSVCP60.DLL 6.0.8972.0 from 2000-08-29
for the unsupported platforms Windows NT4 and Windows 9x.
Newer versions of these files are part of ALL supported versions
of Windows and MUST NOT be redistributed or installed there!
MSVCRT.MSI (TOTALLY superfluous, since contained in other *.MSI too!)
a superseded installer, containing the outdated and vulnerable
MSVCRT.DLL 6.0.8797.0 from 2000-04-06
for the unsupported platforms Windows NT4 and Windows 9x.
A newer version of this file is part of ALL supported versions
of Windows and MUST NOT be redistributed or installed there!
OLEAUT32.MSI (TOTALLY superfluous, since contained in other *.MSI too!)
a superseded installer, containing the outdated and vulnerable
OLEAUT32.DLL 2.40.4275.1 from 2000-04-12
ASYCFILT.DLL 2.40.4275.1 from 1999-03-08
OLEPRO32.DLL 5.0.4275.1 from 1999-03-08
STDOLE2.TLB 2.40.4275.1 from 2000-03-28
for the unsupported platforms Windows NT4 and Windows 9x.
Newer versions of these files are part of ALL supported versions
of Windows and MUST NOT be redistributed or installed there!
Fortunately the "Windows File Protection" fixes most of the damage done
by the installation of this piece of crap^W^W^Wwell engineered software
and restores the overwritten system files.
On Windows 5.x the following overwritten registry entries are but NOT
fixed:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BE35200-8F91-11CE-9DE3-00AA004BB851}\InProcServer32]
@="C:\\WINDOWS\\system32\\MFC42.DLL"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BE35201-8F91-11CE-9DE3-00AA004BB851}\InProcServer32]
@="C:\\WINDOWS\\system32\\MFC42.DLL"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BE35202-8F91-11CE-9DE3-00AA004BB851}\InProcServer32]
@="C:\\WINDOWS\\system32\\MFC42.DLL"
MFC42.DLL is the ANSI version of this system DLL, suitable for Windows
9x/ME. Windows NT* but needs the UNICODE version of this DLL, named
MFC42U.DLL. As result, UNICODE programs which use MFC42.DLL will fail!
To complete the sad story: before the installation ALL system DLLs were
registered with their fully qualified pathnames and were not vulnerable
to "binary planting" attacks (<http://support.microsoft.com/kb/2269637>
and <http://support.microsoft.com/kb/2264107>).
After the installation, the Windows installation was vulnerable again
(modulo the "Known DLLs"):
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0000002F-0000-0000-C000-000000000046}\InProcServer32]
@="oleaut32.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InProcServer]
@="ole2disp.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InProcServer32]
@="oleaut32.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InProcServer]
@="ole2disp.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InProcServer32]
@="oleaut32.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InProcServer]
@="ole2disp.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InProcServer32]
@="oleaut32.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InProcServer]
@="ole2disp.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InProcServer32]
@="oleaut32.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InProcServer]
@="ole2disp.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InProcServer32]
@="oleaut32.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InProcServer]
@="ole2disp.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InProcServer32]
@="oleaut32.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BE35203-8F91-11CE-9DE3-00AA004BB851}\InProcServer32]
@="oleaut32.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InProcServer32]
@="oleaut32.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46763EE0-CAB2-11CE-8C20-00AA0051E5D4}\InProcServer32]
@="oleaut32.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InProcServer32]
@="oleaut32.dll"
Stefan Kanthak
Timeline:
2012-05-19 vendor informed
... no reaction until
2012-06-25 report published
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists