lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 8 May 2014 22:29:31 +0200
From: "Stefan Kanthak" <>
To: <>
Subject: [FD] Beginners error: Synaptics touchpad driver delivered via
	Windows Update executes rogue program C:\Program.exe with
	system privileges during installation

Hi @ll,

the WHQL-signed(!) Synaptics touchpad driver delivered via Windows Update
executes a rogue program C:\Program.exe with system privileges after its

The observed offending command line is
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe /NT /I

According to Microsofts security response team the vulnerable driver was
pulled from Windows Update.

Unfortunately (or should I write: of course) the drivers offered on
Synaptics web site have this silly bug too!

Stefan Kanthak

PS: the following lines of the SYNPD.INF show the same silly bug:

| HKLM,Software\Microsoft\Windows\CurrentVersion\Run,SynTPEnh,0,"%16422%\%targetdir%\SynTPEnh.exe"
| HKLM,Software\Microsoft\Windows\CurrentVersion\Run,SynTPEnh,0x00020000,"%ProgramFiles%\%targetdir%\SynTPEnh.exe"
| HKR,Software\Synaptics\SynTPPlugIns\SynTP,Start,0x00020000,"%ProgramFiles%\%targetdir%\SynTPEnh /RegPlugIn"
| HKR,Software\Synaptics\SynTPEnh\PopupConfig,Pressure Graph,0x00020000,"%ProgramFiles%\%targetdir%\SynZMetr.exe"
| HKR,Software\Synaptics\SynTPEnh\PopupConfig,MoodPad,0x00020000,"%ProgramFiles%\%targetdir%\SynMood.exe"
| HKR,Software\Synaptics\SynTPCpl,PracticeExe,0x00020000,"%ProgramFiles%\%targetdir%\Tutorial.exe"
| HKR,SOFTWARE\Synaptics\SynTPCpl\Controls\1Multifinger Gestures\1Two-Finger

    It's a shame that developers still dont know how to handle
    filenames containing spaces properly: you had 20 years time
    to learn that! And of course their QA hat the same time!

    Take a look at <> and
    notice the screenshot of REGEDIT.EXE showing the contents of the
    registry key



2014-04-09    sent vulnerability report to Microsoft

2014-04-10    Microsoft asks for more log files

2014-04-10    sent log files to Microsoft

2014-04-11    MSRC 18931 case opened

2014-04-15    sent notice regarding MSKB 2647300

2014-05-08    Microsoft acknowledges vulnerability and pulls driver

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists