Full Disclosure mailing list archives

Re: Beginners error: iTunes for Windows runs rogue program C:\Program.exe when opening associated files

From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Thu, 1 May 2014 00:00:19 +0200

"Gynvael Coldwind" <gynvael () coldwind pl> wrote:

Well spotted.


Thanks.
It's but a shame that such silly beginners errors are still present in
current software.

I didn't bother to look specifically for it since my "customers" and I
used german versions of Windows NT5.x until now, where %ProgramFiles%
is C:\Programme, without a space.

I also installed mal^Wsoftware like Microsoft Office or Mozilla Firefox
not into their default locations %ProgramFiles%\Microsoft Office or
%ProgramFiles%\Mozilla Firefox, but used C:\Programme\Microsoft\Office
resp. C:\Programme\Mozilla\Firefox instead to mitigate such errors.

That said, don't you have to be an admin to be able to create files in
these directories anyway?


Yes. But I mentioned that:

| Since every user account created during Windows setup has administrative
| rights every user owning such an account can create the rogue program,
| resulting in a privilege escalation.
|
| JFTR: no, the "user account control" is not a security boundary!

Of course an administrator has many more ways to run a program under
another user account. But this one is for dummies.

So this is only exploitable on FAT, or by admin, or if the ACLs are
set incorrectly right?


Correct (but FAT cant be used any more for the boot partition of Windows
Vista and later).

These silly beginners errors but show that neither the developers nor
their QA are doing their jobs well.-(
And if they did not spot such simple errors, what about the "real" bugs?

Unfortunately Apple is not the only culprit.

Some WHQL-signed drivers run C:\Program.exe under "LocalSystem" account
during their installation ($VENDOR, you know who you are, I reported this
bug some years ago, and you did not react at all), quite some application
packages of major companies install services running under "LocalSystem"
account with ImagePath=C:\Program Files\... or COM-out-of-process servers
with LocalServer32=C:\Program Files\..., and installer creators like NSIS
MSI or InstallShield dont help their users to avoid this silly beginners
error (see <http://seclists.org/fulldisclosure/2013/May/14> and
<http://seclists.org/fulldisclosure/2013/May/37> for just the tip of the
iceberg).

"navigare^Wsoftware engineering necesse est!"

regards
Stefan Kanthak

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

Re: Beginners error: iTunes for Windows runs rogue program C:\Program.exe when opening associated files Mike Cramer (May 01)
- Re: Beginners error: iTunes for Windows runs rogue program C:\Program.exe when opening associated files Alton Blom (May 01)
  - Re: Beginners error: iTunes for Windows runs rogue program C:\Program.exe when opening associated files Mike Cramer (May 01)
- <Possible follow-ups>
- Re: Beginners error: iTunes for Windows runs rogue program C:\Program.exe when opening associated files Stefan Kanthak (May 01)
- Re: Beginners error: iTunes for Windows runs rogue program C:\Program.exe when opening associated files Walt Williams (May 01)
- Re: Beginners error: iTunes for Windows runs rogue program C:\Program.exe when opening associated files Stefan Kanthak (May 16)