Full Disclosure mailing list archives

By Date By Thread Beginners error: Apple's Software Update runs rogue program C:\Program.exe (and some more) From: "Stefan Kanthak" <stefan.kanthak () nexgo de>

Date: Sat, 16 Aug 2014 19:58:59 +0200

Hi @ll, "C:\Program Files\Apple Software Update\SoftwareUpdate.exe", part of Apple's Software Update and installed together with iTunes, QuickTime and other of Apple's crap for Windows, is periodically called with the argument "-task". This invokes the COM server {91A9E6A9-3935-4A37-AFBA-F0904B166364} alias AppleSoftwareUpdate.ASUInstallhost, implemented in the DLL C:\Program Files\Apple Software Update\SoftwareUpdateAdmin.Dll This COM server runs with administrative rights and executes the command line C:\Program Files\Apple Software Update\SoftwareUpdate.exe -background without properly quoted pathname, resulting in the execution of one of the rogue programs "C:\Program.exe", "C:\Program Files\Apple.exe" or "C:\Program Files\Apple Software.exe" (on x86) resp. "C:\Program.exe", "C:\Program Files.exe", "C:\Program Files (x86)\Apple.exe" or "C:\Program Files\Apple Software.exe" (on x64) with administrative rights. From <http://msdn.microsoft.com/library/cc144175.aspx> or <http://msdn.microsoft.com/library/cc144101.aspx>: | Note: If any element of the command string contains or might contain ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | spaces, it must be enclosed in quotation marks. Otherwise, if the ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | element contains a space, it will not parse correctly. For instance, | "My Program.exe" starts the application properly. If you use | My Program.exe without quotation marks, then the system attempts to | launch My with Program.exe as its first command line argument. Since every user account created during Windows setup has administrative rights every user owning such an account can create the rogue program(s), resulting in a privilege escalation. JFTR: no, the "user account control" is not a security boundary! From <http://support.microsoft.com/kb/2526083>: | Same-desktop Elevation in UAC is not a security boundary and can be hijacked | by unprivileged software that runs on the same desktop. Same-desktop | Elevation should be considered a convenience feature, and from a security | perspective, "Protected Administrator" should be considered the equivalent | of "Administrator." regards Stefan Kanthak _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: Beginners error: Apple's Software Update runs rogue program C:\Program.exe (and some more) Stefan Kanthak (Aug 16)