Re: Vulnerabilities in Windows 8 Professional x64 factory preinstallation of Fujitsu Lifebook A512 [continued]

"Stefan Kanthak" <stefan.kanthak@xxxxxxxx> · Thu, 9 May 2013 01:03:16 +0200

On Sunday, May 05, 2013 10:13 PM I wrote:

> Hi @ll,
> 
> Fujitsus <http://www.fsc-pc.de/> factory preinstallation (as
> found on a Fujitsu Lifebook A512 purchased a month ago) of
> Windows 8 Professional x64 (I'm VERY confident that other
> variants of Fujitsu's Windows 8 factory installation are just
> the like) has the following vulnerabilities which can lead to
> code execution in the context of the LocalSystem account.
> 
> 
> A. Command lines with unquoted paths containing spaces:

[...]

and missed some more REALLY nice vulnerabilities (just like the one
Microsoft fixed with <https://support.microsoft.com/kb/2781197>
alias <http://technet.microsoft.com/security/bulletin/ms13-034>,
which of course is present too).

A.6: TWO vulnerabilities in the preinstalled services from Fujitsu:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PFNService]
"ImagePath"=expand:"C:\\Program Files\\Fujitsu\\Plugfree NETWORK\\PFNService.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PowerSavingUtilityService]
"ImagePath"=expand:"C:\\Program Files\\Fujitsu\\PSUtility\\PSUService.exe"

A.7: SIX vulnerabilities in the preinstalled services from Intel:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AMPPALR3]
"ImagePath"=expand:"C:\\Program Files\\Intel\\BluetoothHS\\BTHSAmpPalService.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EvtEng]
"ImagePath"=expand:"C:\\Program Files\\Intel\\WiFi\\bin\\EvtEng.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jhi_service]
"ImagePath"=expand:"C:\\Program Files (x86)\\Intel\\Intel(R) Management Engine Components\\DAL\\jhi_service.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LMS]
"ImagePath"=expand:"C:\\Program Files (x86)\\Intel\\Intel(R) Management Engine Components\\LMS\\LMS.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MyWiFiDHCPDNS]
"ImagePath"=expand:"C:\\Program Files\\Intel\WiFi\\bin\\PanDhcpDns.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RegSrvc]
"ImagePath"=expand:"C:\\Program Files\\Common Files\\Intel\\WirelessCommon\RegSrvc.exe"

JFTR: two other services of Intel don't show this vulnerability!

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHSSecurityMgr]
"ImagePath"=expand:"""C:\\Program Files\\Intel\\BluetoothHS\\BTHSSecurityMgr.exe"""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UNS]
"ImagePath"=expand:"""C:\\Program Files (x86)\\Intel\\Intel(R) Management Engine Components\\UNS\\UNS.exe"""

Stefan Kanthak