lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <2F43DEF739F14E1381C956EC7D60FAB5@W340> Date: Thu, 20 Nov 2014 17:43:36 +0100 From: "Stefan Kanthak" <stefan.kanthak@...go.de> To: <bugtraq@...urityfocus.com> Cc: fulldisclosure@...lists.org Subject: [FD] Beginners error: "Google update" runs rogue programs %USERPROFILE%\Local.exe, %USERPROFILE%\Local Settings\Application.exe, %SystemDrive%\Documents.exe, %SystemDrive%\Program.exe, ... Hi @ll, Google update, which is installed together with Google Chrome and other Google products, resp. the Chrome updater run the rogue programs "%USERPROFILE%\Local.exe", "%USERPROFILE%\Local Settings\Application.exe", "%SystemDrive%\Documents.exe", "%SystemDrive%\Documents and.exe", "%SystemDrive%\Program.exe" or "%SystemDrive%\Program Files.exe" (and of course their localized variants too). The error is triggered for example via <about:chrome> resp. the "About chrome" menu: Google Chrome starts a search for updates, and if it finds one, runs chrome_updater.exe which then calls CreateProcess() with an UNQUOTED pathname in the command line C:\Documents and Settings\...\Local Settings\Application Data\Google\Chrome\Application\38.0.2125.111\Installer\setup.exe --update-setup-exe="C:\Documents and Settings\... or C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.111\Installer\setup.exe --update-setup-exe="C:\Users\... JFTR: note the properly quoted arguments.-( >From <http://msdn.microsoft.com/library/ms682425.aspx>: | For example, consider the string "c:\program files\sub dir\program name". | This string can be interpreted in a number of ways. | The system tries to interpret the possibilities in the following order: | c:\program.exe files\sub dir\program name | c:\program files\sub.exe dir\program name | c:\program files\sub dir\program.exe name | c:\program files\sub dir\program name.exe When one of the rogue programs is executed the update fails and Google Chrome displays the text | Update failed (error: 7)An error occurred while checking for updates: | The installer encountered error "103" "%USERPROFILE%\Local.exe" and "%USERPROFILE%\Local Settings\Application.exe" can be created with standard user privileges and every process running with the user's credentials. JFTR: program installations in the user's profile are a COMPLETELY insane idea! "%SystemDrive%\Documents.exe", "%SystemDrive%\Documents and.exe", "%SystemDrive%\Program.exe" and "%SystemDrive%\Program Files.exe" can (typically) only created with administrative privileges. But since every user account created during Windows setup has administrative rights the typical Windows user can create these rogue program(s). JFTR: no, the "user account control" is not a security boundary! From <http://support.microsoft.com/kb/2526083>: | Same-desktop Elevation in UAC is not a security boundary and can | be hijacked by unprivileged software that runs on the same desktop. | Same-desktop Elevation should be considered a convenience feature, | and from a security perspective, "Protected Administrator" should | be considered the equivalent of "Administrator." This bug is fixed in the just released Google Chrome 39. regards Stefan Kanthak PS: To catch all instances of this beginners error download <http://home.arcor.de/skanthak/download/SENTINEL.CMD>, <http://home.arcor.de/skanthak/download/SENTINEL.DLL>, <http://home.arcor.de/skanthak/download/SENTINEL.EXE> and <http://home.arcor.de/skanthak/download/SENTINEL.REG>, then read and run the script SENTINEL.CMD When run in an interactive session SENTINEL.EXE and SENTINEL.DLL display a message box showing the command line which led to their execution, the working directory and if possible the pathname/ filename of the caller, as shown in <http://home.arcor.de/skanthak/download/SENTINEL.PNG> _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists