[<prev] [next>] [day] [month] [year] [list]
Message-ID: <32D91D191C4D405A8D1C1E87379B5370@celsius>
Date: Wed, 21 Aug 2013 20:20:31 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Windows Embedded POSReady 2009: cruft, not craft
Hi,
the cruft in the evaluation version of Windows Embedded POSReady 2009
(see <http://seclists.org/fulldisclosure/2012/Mar/17>) is not only
present there, but also in systems built with Microsofts official
"OEM preinstallation kit", distributed as DVD X15-28127.
Result: all these embedded systems are susceptible to a trivial to
exploit privilege escalation!
BUT: there is more garbage in Windows Embedded POSReady 2009!
[HKEY_LOCAL_MACHINE\SOFTWARE\3Com\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\ATI Technologies\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\Aureal\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\BCMDM\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\Brother\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\Creative Tech\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\Digi\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\Generic\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\GenericSoftModemUninstallInfo\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\Intel\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\Logitech\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\Lucent\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\Neomagic\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\PCTEL\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\S3\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\Specialix\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\TOSHIBA\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\Vid_0471\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\Vid_05A9\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\VN_VUIns\...]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4}]
@="GraphicsShellExt Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4}\InProcServer32]
@="C:\\WINDOWS\\system32\\igfxpph.dll"
...
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0160-6129-11d7-8dc7-00d0b72c72f7}]
@="S3Display Property Sheet"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0160-6129-11d7-8dc7-00d0b72c72f7}\InProcServer32]
@="VTDisply.dll"
...
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0161-6129-11d7-8dc7-00d0b72c72f7}]
@="S3Gamma2 Property Sheet"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0161-6129-11d7-8dc7-00d0b72c72f7}\InProcServer32]
@="VTGamma2.dll"
...
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0162-6129-11d7-8dc7-00d0b72c72f7}]
@="S3Info2 Property Sheet"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0162-6129-11d7-8dc7-00d0b72c72f7}\InProcServer32]
@="VTInfo2.dll"
...
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0163-6129-11d7-8dc7-00d0b72c72f7}]
@="S3Overlay Property Sheet"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0163-6129-11d7-8dc7-00d0b72c72f7}\InProcServer32]
@="VTOvrlay.dll"
...
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ba87e880-5a57-11d3-bfcb-00aa0022f394}]
@="S3ConfigD3D Property Sheet"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ba87e880-5a57-11d3-bfcb-00aa0022f394}\InProcServer32]
@="S3Cfg3d.dll"
...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\igfxcui]
@="{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\S3Config3D]
@="{ba87e880-5a57-11d3-bfcb-00aa0022f394}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\S3Display]
@="{300b0160-6129-11d7-8dc7-00d0b72c72f7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\S3Gamma2]
@="{300b0161-6129-11d7-8dc7-00d0b72c72f7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\S3Info2]
@="{300b0162-6129-11d7-8dc7-00d0b72c72f7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\S3Overlay]
@="{300b0163-6129-11d7-8dc7-00d0b72c72f7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\VTConfig3D]
@="{ba87e880-5a57-11d3-bfcb-00aa0022f394}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\VTDisplay]
@="{300b0160-6129-11d7-8dc7-00d0b72c72f7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\VTGamma2]
@="{300b0161-6129-11d7-8dc7-00d0b72c72f7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\VTInfo2]
@="{300b0162-6129-11d7-8dc7-00d0b72c72f7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\VTOverlay]
@="{300b0163-6129-11d7-8dc7-00d0b72c72f7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VModes"="VModes UpdateRegistryOnly"
"VTTrayp"="VTtrayp.exe"
"VTTimer"="VTTimer.exe"
"S3Trayp"="S3trayp.exe"
"Persistence"="C:\\WINDOWS\\system32\\igfxpers.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"TrackPointSrv"="tp4mon.exe"
"USBC"="C:\\WINDOWS\\system32\\wscript.exe C:\\WINDOWS\\system32\\drivers\\netusbc.vbs"
"XeroxScannerDaemon"="C:\\Program Files\\Xerox\\NWWia\\XrxFTPLt.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ati HotKey Poller]
"Start"=dword:00000002
"Type"=dword:00000110
"ErrorControl"=dword:00000001
"ImagePath"=expand:"system32\\atievxx.exe"
"ObjectName"="LocalSystem"
"Group"="Event log"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\AssetManagement]
"EventMessageFile"=expand:"C:\\WINDOWS\\system32\\CCM\\ccm_caltrack.dll"
"TypesSupported"=dword:00000007
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\LiveMeeting]
"TypesSupported"=dword:00000007
"EventMessageFile"=expand:"C:\\PROGRA~1\\MICROS~3\\LIVEME~1\\Console\\MUI\\0409\\UCCPRES.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\SmsClient]
"EventMessageFile"=expand:"C:\\WINDOWS\\system32\\CCM\\climsgs.dll"
"TypesSupported"=dword:00000007
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Pctspk]
"Start"=dword:00000002
"Type"=dword:00000010
"ErrorControl"=dword:00000001
"ImagePath"=expand:"system32\\pctspk.exe"
"DisplayName"="PCTEL Speaker Phone"
Needless to say: all the files referenced in this debris are NOT present
in the system image, and all the device drivers who had registry keys
created under [HKEY_LOCAL_MACHINE\SOFTWARE\%vendor%] are missing too.
Whoever built this system image apparently did not start from a clean
environment, installed superfluous components like "LiveMeeting Console"
and "System Center Configuration Management Client", used unsuitable
tools to integrate 3rd-party drivers, and used unsuitable tools to
prepare it for deployment.
Is this trustworthy computing? Software engineering? Due diligence?
And what about quality assurance?
JFTR: the unqualified filenames used in this cruft are nice targets for
binary planting attacks!
stay tuned
Stefan Kanthak
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists