On Sunday, May 05, 2013 10:13 PM I wrote: > Hi @ll, > > Fujitsus <http://www.fsc-pc.de/> factory preinstallation (as > found on a Fujitsu Lifebook A512 purchased a month ago) of > Windows 8 Professional x64 (I'm VERY confident that other > variants of Fujitsu's Windows 8 factory installation are just > the like) has the following vulnerabilities which can lead to > code execution in the context of the LocalSystem account. > > > A. Command lines with unquoted paths containing spaces: [...] and missed some more REALLY nice vulnerabilities (just like the one Microsoft fixed with <https://support.microsoft.com/kb/2781197> alias <http://technet.microsoft.com/security/bulletin/ms13-034>, which of course is present too). A.6: TWO vulnerabilities in the preinstalled services from Fujitsu: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PFNService] "ImagePath"=expand:"C:\\Program Files\\Fujitsu\\Plugfree NETWORK\\PFNService.exe" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PowerSavingUtilityService] "ImagePath"=expand:"C:\\Program Files\\Fujitsu\\PSUtility\\PSUService.exe" A.7: SIX vulnerabilities in the preinstalled services from Intel: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AMPPALR3] "ImagePath"=expand:"C:\\Program Files\\Intel\\BluetoothHS\\BTHSAmpPalService.exe" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EvtEng] "ImagePath"=expand:"C:\\Program Files\\Intel\\WiFi\\bin\\EvtEng.exe" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jhi_service] "ImagePath"=expand:"C:\\Program Files (x86)\\Intel\\Intel(R) Management Engine Components\\DAL\\jhi_service.exe" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LMS] "ImagePath"=expand:"C:\\Program Files (x86)\\Intel\\Intel(R) Management Engine Components\\LMS\\LMS.exe" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MyWiFiDHCPDNS] "ImagePath"=expand:"C:\\Program Files\\Intel\WiFi\\bin\\PanDhcpDns.exe" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RegSrvc] "ImagePath"=expand:"C:\\Program Files\\Common Files\\Intel\\WirelessCommon\RegSrvc.exe" JFTR: two other services of Intel don't show this vulnerability! [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHSSecurityMgr] "ImagePath"=expand:"""C:\\Program Files\\Intel\\BluetoothHS\\BTHSSecurityMgr.exe""" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UNS] "ImagePath"=expand:"""C:\\Program Files (x86)\\Intel\\Intel(R) Management Engine Components\\UNS\\UNS.exe""" Stefan Kanthak