[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3D3CFD5099E942F09F0E58E117FA0474@W340>
Date: Thu, 16 Feb 2017 16:03:19 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <fulldisclosure@...lists.org>
Cc: bugtraq@...urityfocus.com
Subject: [FD] "long" filenames mishandled by Fujitsu's ScanSnap software
Hi @ll,
Fujitsu's ScanSnap software installers WinSSInstiX500WW1.exe
and WinSSInstS1100iWW1.exe, available from
<http://www.fujitsu.com/global/support/products/computing/peripheral/scanners/scansnap/software/ix500w-installer.html>
and
<http://www.fujitsu.com/global/support/products/computing/peripheral/scanners/scansnap/software/s1100i.html>,
execute C:\Program.exe multiple times near the end of the
installation process.
I'm VERY confident that the installers for other scanner models
show the same vulnerability.
Culprit is the program SSInst.exe, which fails to quote the command
lines
C:\Program Files\PFU\ScanSnap\SSFolder\SSFolderTray.exe /e /u
C:\Program Files\PFU\ScanSnap\Driver\SsWizard\PfuSsConnectionWizard.exe /ini
C:\Program Files\PFU\ScanSnap\Driver\SsWifiTool\PfuSsWiFiToolStart.exe /s
C:\Program Files\PFU\ScanSnap\Driver\SsWizard\PfuSsConnectionWizard.exe /SSType
properly; since SSInst.exe runs with administrative privileges,
C:\Program.exe is executed with administrative privileges too.
For this well-known and well-documented beginner's error see
<https://cwe.mitre.org/data/definitions/428.html> as well as
<https://msdn.microsoft.com/en-us/library/ms682425.aspx#Security_Remarks>
JFTR: Microsoft introduced "long" filenames more that 20 years ago.
Stay away from the crapware shipped with Fujitsu's scanners!
stay tuned
Stefan Kanthak
Timeline:
~~~~~~~~~
2017-01-28 vulnerability report sent to vendor
no reply, not even an acknowledgement of receipt
2017-02-05 vulnerability report resent to vendor
2017-02-06 vendor hotline forwards report to product team,
asking for support
2017-02-08 mail from vendor's technical support, subject
"Your Request from 08.02.2017"
"Unfortunately this request can not be processed via
this mailadress."
2017-02-09 which request?
I did not send a request on 2017-02-08
2017-02-10 mail from vendor's technical support, subject
"Your Request from 10.02.2017"
"Sorry, this was a mistake from me.
You get info about the security alert on Monday or
Tuesday next weak."
2017-02-14 status request sent to vendor:
"Tuesday has passed..."
2017-02-16 mail from vendor's technical support, subject
"Your Request from 16.02.2017"
"Unfortunately we can really not help in this case.
Try to contact ... support team"
No, I don't run around in circles!
I contacted them already.
2017-02-16 report published
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists