lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 16 Aug 2014 22:07:52 +0200
From: "Stefan Kanthak" <>
To: <>
Subject: [FD] Beginners error: Apple's iCloudServices for Windows run rogue
	program C:\Program.exe (and some more)

Hi @ll,

"C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe",
part of Apple's iCloudServices (see <>), is
configured to be started as (COM) server via SvcHost.Exe.

Unfortunately the developers of this (COM) server (and of course their QA
too) did a lousy job and let their installer create the following erroneous
registry entries with a command line that contains an unquoted pathname:

@="C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudServices.exe"

@="C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudServices.exe"

The unquoted pathname results in the execution of one of the rogue programs
"C:\Program.exe", "C:\Program Files\Common.exe" or
"C:\Program Files\Common Files\Apple\Internet.exe" (on x86) resp.
"C:\Program.exe", "C:\Program Files.exe", "C:\Program Files (x86)\Common.exe"
or "C:\Program Files (x86)\Common Files\Apple\Internet.exe" (on x64) with
the rights of the logged on user.

JFTR: the other 3 registry entries created for this COM server dont show
      this beginners error and have the pathname properly quoted:

@="\"C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudServices.exe\""

@="\"C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudServices.exe\""

@="\"C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudServices.exe\""

Since every user account created during Windows setup has administrative
rights every user owning such an account can create the rogue program(s),
resulting in a privilege escalation.

JFTR: no, the "user account control" is not a security boundary!

      From <>:

| Same-desktop Elevation in UAC is not a security boundary and can be hijacked
| by unprivileged software that runs on the same desktop. Same-desktop
| Elevation should be considered a convenience feature, and from a security
| perspective, "Protected Administrator" should be considered the equivalent
| of "Administrator."

JFTR: iCloudServices ships with even older outdated and vulnerable 3rd party
       (open source) libraries than iTunes, see

      - libxslt.dll
      - libxml2.dll
      - icuuc40.dll, icuin40.dll, icudt46.dll. libicuin.dll, libicuuc.dll

Stefan Kanthak

PS: the obvious and trivial fix: edit the 2 erroneous command lines and
    add the missing quotes. But dont forget to fix them after every update
    of Apple's crap for Windows.

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists