Hi @ll,
Fujitsus <http://www.fsc-pc.de/> factory preinstallation (as
found on a Fujitsu Lifebook A512 purchased a month ago) of
Windows 8 Professional x64 (I'm VERY confident that other
variants of Fujitsu's Windows 8 factory installation are just
the like) has the following vulnerabilities which can lead to
code execution in the context of the LocalSystem account.
A. Command lines with unquoted paths containing spaces:
A.1: Norton INSecurity Suite 201x
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NIS]
"UninstallString"="C:\\Program Files
(x86)\\NortonInstaller\\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\\NIS\\A5E82D02\\20.0.0.136\\InstStub.exe
/X /ARP"
A.2: FJ camera installer
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{399C37FB-08AF-493B-BFED-20FBD85EDF7F}]
"UninstallString"="C:\\Program Files (x86)\\InstallShield Installation
Information\\{399C37FB-08AF-493B-BFED-20FBD85EDF7F}\\setup.exe -runfromtemp
-l0x0009 -removeonly"
A.3: Intel MEI driver installer
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}]
"UninstallString"="C:\\Program Files (x86)\\Intel\\Intel (R) Management
Engine Components\\Uninstall\\setup.exe -uninstall"
A.4: Intel graphics driver installer
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}]
"UninstallString"="C:\\Program Files (x86)\\Intel\\Intel (R) Processor
Graphics\\Uninstall\\setup.exe -uninstall"
JFTR: all these "driver installers" are completely superfluous!
WHQL-signed drivers (a precondition for x64) have an *.INF
(a precondition for WHQL qualification) with all necessary
instructions, Windows 95 (!) and later find these *.INF via
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion]
"DriverPath"="C:\Windows\Inf;<more paths>;..."
A.5: Intel OpenCL SDK
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}]
"UninstallString"="C:\\Program Files (x86)\\Intel\\OpenCL
SDK\\2.0\\Uninstall\\setup.exe -uninstall"
Additionally various preinstalled applications come with vulnerable
and/or outdated 3rd-party componenents.
B. Vulnerable and/or outdated 3rd-party components in multiple (mostly)
superfluous applications:
B.1: Version 1.2.3 of ZLIB1.DLL (<http://zlib.net/>)
in "C:\Program Files\Intel\WiFi\bin\"
From <http://zlib.net/>:
| All users are encouraged to upgrade immediately.
B.2: SSLEAY32.DLL and LIBEAY32.DLL from version 1.0.0g of OpenSSL
(<http://www.openssl.org/>)
in "C:\Program Files\Intel\iCLS Client\"
and "C:\Program Files (x86)\Intel\iCLS Client\"
B.3: Version 9.0.30729.4926 of MSVC*90.DLL alias "Microsoft Visual
C++ 2008 SP1 Runtime"
in "C:\Program Files (x86)\Intel\OpenCL SDK\2.0\bin\x86\"
and "C:\Program Files (x86)\Intel\OpenCL SDK\2.0\bin\x64\"
See <http://support.microsoft.com/kb/2538243> resp.
<http://technet.microsoft.com/security/bulletin/ms11-025>
as well as <http://support.microsoft.com/kb/835322> to avoid
such silly errors!
B.4: Version 9.0.21022.8 of MSVC*90.DLL alias "Microsoft Visual C++
2008 RTM Runtime"
in "C:\Program Files (x86)\CyberLink\YouCam\subsys\PyFaceLogin\"
Same as B.3.
B.5: Version 8.0.50727.42 of MSVC*80.DLL alias "Microsoft Visual C++
2005 RTM Runtime"
in "C:\Program Files (x86)\CyberLink\YouCam\subsys\YouCam\"
and "C:\Program Files (x86)\CyberLink\YouCam\subsys\YouCam\MPEG\"
This version is end-of-life and has known but UNFIXED vulnerabilities,
see <http://technet.microsoft.com/security/bulletin/ms09-035>
and <http://technet.microsoft.com/security/bulletin/ms11-025>
B.6: Version 10.0.40219.1 of MSVC*100.DLL alias "Microsoft Visual C++
2010 SP1 Runtime" in MULTIPLE subdirectories of
"C:\Program Files (x86)\Norton Internet Security\Engine\"
and "C:\Program Files (x86)\NortonInstaller\"
See <http://support.microsoft.com/kb/2565063> resp.
<http://technet.microsoft.com/security/bulletin/ms11-025>
as well as <http://support.microsoft.com/kb/835322> to avoid
such silly errors!
JFTR: the current version 10.0.40219.325 of "Microsoft Visual C++
2010 SP1 Runtime" is but installed in "C:\Windows\System32\"
as well as "C:\Windows\SysWoW64\", the private copies made by
Norton INSecurity are superfluous too!
B.7: Version 5.2.7127.0 of GDIPLUS.DLL
in "C:\Program Files (x86)\Cyberlink\YouCam\OLRSubmission\"
and "C:\Program Files (x86)\Cyberlink\YouCam\subsys\BigBang\Runtime\"
GDIPLUS.DLL is a Windows system component which MUST NOT be
redistributed and installed by 3rd party software.
Windows 8 contains version 6.2.9200.16384 and newer of this DLL.
B.8: Version 7.0.7127.0 of MSVCP60.DLL
in "C:\Program Files (x86)\Cyberlink\YouCam\subsys\BigBang\Runtime\"
MSVCP60.DLL is a Windows system component which MUST NOT be
redistributed and installed by 3rd party software.
Windows 8 contains version 6.2.9200.16384 and newer of this DLL.
JFTR: no, I don't blame Fujitsu for the faults of Norton/Symantec,
InstallShield, Intel or Cyberlink, but I blame Fujitsu for
including this superfluous crapware in their factory
preinstallation!
Timeline:
~~~~~~~~~
2013-04-22 informed vendor
2013-04-24 vendor replied:
the preinstalled software has been selected according to
current standards and was qualified by us, be we dont
guarantee anything; it's the responsibility if their resp.
vendors to provide updates, so look yourself for updates
and security fixes.
2013-04-26 asked vendor:
please elaborate your "standards" and your qualification
process
no answer
2013-05-05 report published
Stefan Kanthak
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
