Re: Beginners error: Hewlett-Packards driver software executes rogue binary C:\Program.exe

["Stefan Kanthak" <stefan.kanthak () nexgo de>]

"Tavis Ormandy" <taviso-1TlbntoI6+xF6kxbq+BtvQ () public gmane org> wrote:

> "Stefan Kanthak" <stefan.kanthak-i47jiTeKxPI () public gmane org> wrote:
>
> > Hi @ll,
> >
> > several programs of the current Windows 7 driver software for the "HP
> > OfficeJet 6700" multifunction device execute a rogue program
> > C:\Program.exe
>
> It sounds like a bug, but why is this a security issue?

It's a DoS too.
But in the first hand its just AWFUL BAD coding and SLOPPY QA: "long"
filenames with embedded spaces exist for more than 20 years in Windows,
but some paid dimwits in companies like HP, Microsoft, McAfee, Synaptics,
... still dont get their code right.

> I can only imagine two possible scenarios
>
> 1. You've somehow made the root parition FAT32, in which case you're using a
> non-securable filesystem; Therefore not a security issue.
> 2. You've set a bad ACL on the root directory, therefore user error.

3. You think Windows' "user account control" is a security boundary.

UAC is but NOT a security boundary:

<http://technet.microsoft.com/magazine/2007.06.uac.aspx>

| Elevations and Security Boundaries
...

<http://support.microsoft.com/kb/2526083>

| Same-desktop Elevation in UAC is not a security boundary and can be hijacked
| by unprivileged software that runs on the same desktop. Same-desktop
| Elevation should be considered a convenience feature, and from a security
| perspective, "Protected Administrator" should be considered the equivalent
| of "Administrator."

<http://blogs.technet.com/b/markrussinovich/archive/2007/02/12/638372.aspx>

| It should be clear then, that neither UAC elevations nor Protected Mode IE
| define new Windows security boundaries. Microsoft has been communicating
| this but I want to make sure that the point is clearly heard.

<http://download.microsoft.com/download/0/e/9/0e922c03-8537-482f-b57c-aa385b3dee20/Security_Best_Practice_Guidance_for_Consumers.doc
>

| It's very important to remember that UAC prompts are not a security boundary
| - they don't offer direct protection.

> If you believe otherwise, please post details, as that would be an
> interesting discovery.

Every user account created during Windows setup is an administrator account,
so every user can create C:\Program.exe

Microsoft tries to sell "defense in depth" to their customers since they
started their "trustworthy computing" about 13 years ago. But they still
create administrator accounts during Windows setup, CreateProcess() still
has the idiosyncrazy to execute C:\Program.exe, and the WHQL certification
still let drivers pass which execute C:\Program.exe during installation and
operation.

This bad practice then yields software like the HP drivers.

regards
Stefan Kanthak


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/