| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <15744B6CD122466E836848E139F983D0@celsius>
Date: Sat, 16 Aug 2014 22:07:52 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Beginners error: Apple's iCloudServices for Windows run rogue
program C:\Program.exe (and some more)
Hi @ll,
"C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe",
part of Apple's iCloudServices (see <https://www.apple.com/icloud/>), is
configured to be started as (COM) server via SvcHost.Exe.
Unfortunately the developers of this (COM) server (and of course their QA
too) did a lousy job and let their installer create the following erroneous
registry entries with a command line that contains an unquoted pathname:
[HKEY_CLASSES_ROOT\CLSID\{23ad9193-ebad-42bf-8d03-fec6331270f2}\LocalServer32]
@="C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudServices.exe"
[HKEY_CLASSES_ROOT\CLSID\{9e6e74c7-0e85-4d14-8851-7635e2c1c528}\LocalServer32]
@="C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudServices.exe"
The unquoted pathname results in the execution of one of the rogue programs
"C:\Program.exe", "C:\Program Files\Common.exe" or
"C:\Program Files\Common Files\Apple\Internet.exe" (on x86) resp.
"C:\Program.exe", "C:\Program Files.exe", "C:\Program Files (x86)\Common.exe"
or "C:\Program Files (x86)\Common Files\Apple\Internet.exe" (on x64) with
the rights of the logged on user.
JFTR: the other 3 registry entries created for this COM server dont show
this beginners error and have the pathname properly quoted:
[HKEY_CLASSES_ROOT\CLSID\{1510187E-FE19-4F42-9C43-22C6E9E6AA67}\LocalServer32]
@="\"C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudServices.exe\""
[HKEY_CLASSES_ROOT\CLSID\{c1da7e1f-279b-4acd-9196-fc6ef7eb8e9e}\LocalServer32]
@="\"C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudServices.exe\""
[HKEY_CLASSES_ROOT\CLSID\{dd000cbd-67a6-423f-9132-1a2d0f76ead5}\LocalServer32]
@="\"C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudServices.exe\""
Since every user account created during Windows setup has administrative
rights every user owning such an account can create the rogue program(s),
resulting in a privilege escalation.
JFTR: no, the "user account control" is not a security boundary!
From <http://support.microsoft.com/kb/2526083>:
| Same-desktop Elevation in UAC is not a security boundary and can be hijacked
| by unprivileged software that runs on the same desktop. Same-desktop
| Elevation should be considered a convenience feature, and from a security
| perspective, "Protected Administrator" should be considered the equivalent
| of "Administrator."
JFTR: iCloudServices ships with even older outdated and vulnerable 3rd party
(open source) libraries than iTunes, see
<http://seclists.org/fulldisclosure/2014/Jul/30>
- libxslt.dll 1.0.9.0
- libxml2.dll 2.1.13.0
- icuuc40.dll, icuin40.dll, icudt46.dll. libicuin.dll, libicuuc.dll 4.6.1.0
regards
Stefan Kanthak
PS: the obvious and trivial fix: edit the 2 erroneous command lines and
add the missing quotes. But dont forget to fix them after every update
of Apple's crap for Windows.
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists