Hi @ll,

Fujitsus <http://www.fsc-pc.de/> factory preinstallation (as
found on a Fujitsu Lifebook A512 purchased a month ago) of
Windows 8 Professional x64 (I'm VERY confident that other
variants of Fujitsu's Windows 8 factory installation are just
the like) has the following vulnerabilities which can lead to
code execution in the context of the LocalSystem account.


A. Command lines with unquoted paths containing spaces:

A.1: Norton INSecurity Suite 201x

     [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NIS]
     "UninstallString"="C:\\Program Files
(x86)\\NortonInstaller\\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\\NIS\\A5E82D02\\20.0.0.136\\InstStub.exe
 /X /ARP"


A.2: FJ camera installer

     
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{399C37FB-08AF-493B-BFED-20FBD85EDF7F}]
     "UninstallString"="C:\\Program Files (x86)\\InstallShield Installation
Information\\{399C37FB-08AF-493B-BFED-20FBD85EDF7F}\\setup.exe -runfromtemp 
-l0x0009 -removeonly"


A.3: Intel MEI driver installer

     
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}]
     "UninstallString"="C:\\Program Files (x86)\\Intel\\Intel (R) Management 
Engine Components\\Uninstall\\setup.exe -uninstall"


A.4: Intel graphics driver installer
     
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}]
     "UninstallString"="C:\\Program Files (x86)\\Intel\\Intel (R) Processor 
Graphics\\Uninstall\\setup.exe -uninstall"


JFTR: all these "driver installers" are completely superfluous!

      WHQL-signed drivers (a precondition for x64) have an *.INF
      (a precondition for  WHQL qualification) with all necessary
      instructions, Windows 95 (!) and later find these *.INF via

      [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion]
      "DriverPath"="C:\Windows\Inf;<more paths>;..."


A.5: Intel OpenCL SDK

     
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}]
     "UninstallString"="C:\\Program Files (x86)\\Intel\\OpenCL 
SDK\\2.0\\Uninstall\\setup.exe -uninstall"


Additionally various preinstalled applications come with vulnerable
and/or outdated 3rd-party componenents.


B. Vulnerable and/or outdated 3rd-party components in multiple (mostly)
   superfluous applications:

B.1: Version 1.2.3 of ZLIB1.DLL (<http://zlib.net/>)
     in "C:\Program Files\Intel\WiFi\bin\"

     From <http://zlib.net/>:

     | All users are encouraged to upgrade immediately.


B.2: SSLEAY32.DLL and LIBEAY32.DLL from version 1.0.0g of OpenSSL
     (<http://www.openssl.org/>)
     in "C:\Program Files\Intel\iCLS Client\"
     and  "C:\Program Files (x86)\Intel\iCLS Client\"


B.3: Version 9.0.30729.4926 of MSVC*90.DLL alias "Microsoft Visual
     C++ 2008 SP1 Runtime"
     in "C:\Program Files (x86)\Intel\OpenCL SDK\2.0\bin\x86\"
     and "C:\Program Files (x86)\Intel\OpenCL SDK\2.0\bin\x64\"

     See <http://support.microsoft.com/kb/2538243> resp.
     <http://technet.microsoft.com/security/bulletin/ms11-025>
     as well as <http://support.microsoft.com/kb/835322> to avoid
     such silly errors!


B.4: Version 9.0.21022.8 of MSVC*90.DLL alias "Microsoft Visual C++
     2008 RTM Runtime"
     in "C:\Program Files (x86)\CyberLink\YouCam\subsys\PyFaceLogin\"

     Same as B.3.


B.5: Version 8.0.50727.42 of MSVC*80.DLL alias "Microsoft Visual C++
     2005 RTM Runtime"
     in "C:\Program Files (x86)\CyberLink\YouCam\subsys\YouCam\"
     and "C:\Program Files (x86)\CyberLink\YouCam\subsys\YouCam\MPEG\"

     This version is end-of-life and has known but UNFIXED vulnerabilities,
     see <http://technet.microsoft.com/security/bulletin/ms09-035>
      and <http://technet.microsoft.com/security/bulletin/ms11-025>


B.6: Version 10.0.40219.1 of MSVC*100.DLL alias "Microsoft Visual C++
     2010 SP1 Runtime" in MULTIPLE subdirectories of
     "C:\Program Files (x86)\Norton Internet Security\Engine\"
     and "C:\Program Files (x86)\NortonInstaller\"

     See <http://support.microsoft.com/kb/2565063> resp.
     <http://technet.microsoft.com/security/bulletin/ms11-025>
     as well as <http://support.microsoft.com/kb/835322> to avoid
     such silly errors!


JFTR: the current version 10.0.40219.325 of "Microsoft Visual C++
      2010 SP1 Runtime" is but installed in "C:\Windows\System32\"
      as well as "C:\Windows\SysWoW64\", the private copies made by
      Norton INSecurity are superfluous too!


B.7: Version 5.2.7127.0 of GDIPLUS.DLL
     in "C:\Program Files (x86)\Cyberlink\YouCam\OLRSubmission\"
     and  "C:\Program Files (x86)\Cyberlink\YouCam\subsys\BigBang\Runtime\"

     GDIPLUS.DLL is a Windows system component which MUST NOT be
     redistributed and installed by 3rd party software.

     Windows 8 contains version 6.2.9200.16384 and newer of this DLL.


B.8: Version 7.0.7127.0 of MSVCP60.DLL
     in "C:\Program Files (x86)\Cyberlink\YouCam\subsys\BigBang\Runtime\"

     MSVCP60.DLL is a Windows system component which MUST NOT be
     redistributed and installed by 3rd party software.

     Windows 8 contains version 6.2.9200.16384 and newer of this DLL.


JFTR: no, I don't blame Fujitsu for the faults of Norton/Symantec,
      InstallShield, Intel or Cyberlink, but I blame Fujitsu for
      including this superfluous crapware in their factory
      preinstallation!


Timeline:
~~~~~~~~~

2013-04-22    informed vendor

2013-04-24    vendor replied:
              the preinstalled software has been selected according to
              current standards and was qualified by us, be we dont
              guarantee anything; it's the responsibility if their resp.
              vendors to provide updates, so look yourself for updates
              and security fixes.

2013-04-26    asked vendor:
              please elaborate your "standards" and your qualification
              process

              no answer

2013-05-05    report published


Stefan Kanthak

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Reply via email to