Full Disclosure mailing list archives
Re: Beginners error: iTunes for Windows runs rogue program C:\Program.exe when opening associated files
From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Thu, 1 May 2014 00:00:19 +0200
"Gynvael Coldwind" <gynvael () coldwind pl> wrote:
Well spotted.
Thanks. It's but a shame that such silly beginners errors are still present in current software. I didn't bother to look specifically for it since my "customers" and I used german versions of Windows NT5.x until now, where %ProgramFiles% is C:\Programme, without a space. I also installed mal^Wsoftware like Microsoft Office or Mozilla Firefox not into their default locations %ProgramFiles%\Microsoft Office or %ProgramFiles%\Mozilla Firefox, but used C:\Programme\Microsoft\Office resp. C:\Programme\Mozilla\Firefox instead to mitigate such errors.
That said, don't you have to be an admin to be able to create files in these directories anyway?
Yes. But I mentioned that: | Since every user account created during Windows setup has administrative | rights every user owning such an account can create the rogue program, | resulting in a privilege escalation. | | JFTR: no, the "user account control" is not a security boundary! Of course an administrator has many more ways to run a program under another user account. But this one is for dummies.
So this is only exploitable on FAT, or by admin, or if the ACLs are set incorrectly right?
Correct (but FAT cant be used any more for the boot partition of Windows Vista and later). These silly beginners errors but show that neither the developers nor their QA are doing their jobs well.-( And if they did not spot such simple errors, what about the "real" bugs? Unfortunately Apple is not the only culprit. Some WHQL-signed drivers run C:\Program.exe under "LocalSystem" account during their installation ($VENDOR, you know who you are, I reported this bug some years ago, and you did not react at all), quite some application packages of major companies install services running under "LocalSystem" account with ImagePath=C:\Program Files\... or COM-out-of-process servers with LocalServer32=C:\Program Files\..., and installer creators like NSIS MSI or InstallShield dont help their users to avoid this silly beginners error (see <http://seclists.org/fulldisclosure/2013/May/14> and <http://seclists.org/fulldisclosure/2013/May/37> for just the tip of the iceberg). "navigare^Wsoftware engineering necesse est!" regards Stefan Kanthak _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Re: Beginners error: iTunes for Windows runs rogue program C:\Program.exe when opening associated files Mike Cramer (May 01)
- Re: Beginners error: iTunes for Windows runs rogue program C:\Program.exe when opening associated files Alton Blom (May 01)
- <Possible follow-ups>
- Re: Beginners error: iTunes for Windows runs rogue program C:\Program.exe when opening associated files Stefan Kanthak (May 01)
- Re: Beginners error: iTunes for Windows runs rogue program C:\Program.exe when opening associated files Walt Williams (May 01)
- Re: Beginners error: iTunes for Windows runs rogue program C:\Program.exe when opening associated files Stefan Kanthak (May 16)