Message-ID: <2F43DEF739F14E1381C956EC7D60FAB5@W340>
Date: Thu, 20 Nov 2014 17:43:36 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Beginners error: "Google update" runs rogue programs
	%USERPROFILE%\Local.exe,
	%USERPROFILE%\Local Settings\Application.exe,
	%SystemDrive%\Documents.exe, %SystemDrive%\Program.exe, ...

Hi @ll,

Google update, which is installed together with Google Chrome and
other Google products, resp. the Chrome updater run the rogue programs
"%USERPROFILE%\Local.exe",
"%USERPROFILE%\Local Settings\Application.exe",
"%SystemDrive%\Documents.exe",
"%SystemDrive%\Documents and.exe",
"%SystemDrive%\Program.exe" or
"%SystemDrive%\Program Files.exe"
(and of course their localized variants too).


The error is triggered for example via <about:chrome> resp. the
"About chrome" menu: Google Chrome starts a search for updates,
and if it finds one, runs chrome_updater.exe which then calls
CreateProcess() with an UNQUOTED pathname in the command line
    C:\Documents and Settings\...\Local Settings\Application
Data\Google\Chrome\Application\38.0.2125.111\Installer\setup.exe --update-setup-exe="C:\Documents and Settings\...
or
    C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.111\Installer\setup.exe --update-setup-exe="C:\Users\...

JFTR: note the properly quoted arguments.-(


>From <http://msdn.microsoft.com/library/ms682425.aspx>:

| For example, consider the string "c:\program files\sub dir\program name".
| This string can be interpreted in a number of ways.
| The system tries to interpret the possibilities in the following order:
| c:\program.exe files\sub dir\program name
| c:\program files\sub.exe dir\program name
| c:\program files\sub dir\program.exe name
| c:\program files\sub dir\program name.exe


When one of the rogue programs is executed the update fails and
Google Chrome displays the text

| Update failed (error: 7)An error occurred while checking for updates:
| The installer encountered error "103"


"%USERPROFILE%\Local.exe" and "%USERPROFILE%\Local Settings\Application.exe"
can be created with standard user privileges and every process running
with the user's credentials.

JFTR: program installations in the user's profile are a COMPLETELY
      insane idea!


"%SystemDrive%\Documents.exe", "%SystemDrive%\Documents and.exe",
"%SystemDrive%\Program.exe" and "%SystemDrive%\Program Files.exe"
can (typically) only created with administrative privileges.

But since every user account created during Windows setup has
administrative rights the typical Windows user can create these
rogue program(s).

JFTR: no, the "user account control" is not a security boundary!

      From <http://support.microsoft.com/kb/2526083>:

| Same-desktop Elevation in UAC is not a security boundary and can
| be hijacked by unprivileged software that runs on the same desktop.
| Same-desktop Elevation should be considered a convenience feature,
| and from a security perspective, "Protected Administrator" should
| be considered the equivalent of "Administrator."


This bug is fixed in the just released Google Chrome 39.


regards
Stefan Kanthak


PS: To catch all instances of this beginners error download
    <http://home.arcor.de/skanthak/download/SENTINEL.CMD>,
    <http://home.arcor.de/skanthak/download/SENTINEL.DLL>,
    <http://home.arcor.de/skanthak/download/SENTINEL.EXE> and
    <http://home.arcor.de/skanthak/download/SENTINEL.REG>, then read
    and run the script SENTINEL.CMD

    When run in an interactive session SENTINEL.EXE and SENTINEL.DLL
    display a message box showing the command line which led to their
    execution, the working directory and if possible the pathname/
    filename of the caller, as shown in
    <http://home.arcor.de/skanthak/download/SENTINEL.PNG>


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists