Hi, the cruft in the evaluation version of Windows Embedded POSReady 2009 (see <http://seclists.org/fulldisclosure/2012/Mar/17>) is not only present there, but also in systems built with Microsofts official "OEM preinstallation kit", distributed as DVD X15-28127. Result: all these embedded systems are susceptible to a trivial to exploit privilege escalation! BUT: there is more garbage in Windows Embedded POSReady 2009! [HKEY_LOCAL_MACHINE\SOFTWARE\3Com\...] [HKEY_LOCAL_MACHINE\SOFTWARE\ATI Technologies\...] [HKEY_LOCAL_MACHINE\SOFTWARE\Aureal\...] [HKEY_LOCAL_MACHINE\SOFTWARE\BCMDM\...] [HKEY_LOCAL_MACHINE\SOFTWARE\Brother\...] [HKEY_LOCAL_MACHINE\SOFTWARE\Creative Tech\...] [HKEY_LOCAL_MACHINE\SOFTWARE\Digi\...] [HKEY_LOCAL_MACHINE\SOFTWARE\Generic\...] [HKEY_LOCAL_MACHINE\SOFTWARE\GenericSoftModemUninstallInfo\...] [HKEY_LOCAL_MACHINE\SOFTWARE\Intel\...] [HKEY_LOCAL_MACHINE\SOFTWARE\Logitech\...] [HKEY_LOCAL_MACHINE\SOFTWARE\Lucent\...] [HKEY_LOCAL_MACHINE\SOFTWARE\Neomagic\...] [HKEY_LOCAL_MACHINE\SOFTWARE\PCTEL\...] [HKEY_LOCAL_MACHINE\SOFTWARE\S3\...] [HKEY_LOCAL_MACHINE\SOFTWARE\Specialix\...] [HKEY_LOCAL_MACHINE\SOFTWARE\TOSHIBA\...] [HKEY_LOCAL_MACHINE\SOFTWARE\Vid_0471\...] [HKEY_LOCAL_MACHINE\SOFTWARE\Vid_05A9\...] [HKEY_LOCAL_MACHINE\SOFTWARE\VN_VUIns\...] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4}] @="GraphicsShellExt Class" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4}\InProcServer32] @="C:\\WINDOWS\\system32\\igfxpph.dll" ... [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0160-6129-11d7-8dc7-00d0b72c72f7}] @="S3Display Property Sheet" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0160-6129-11d7-8dc7-00d0b72c72f7}\InProcServer32] @="VTDisply.dll" ... [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0161-6129-11d7-8dc7-00d0b72c72f7}] @="S3Gamma2 Property Sheet" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0161-6129-11d7-8dc7-00d0b72c72f7}\InProcServer32] @="VTGamma2.dll" ... [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0162-6129-11d7-8dc7-00d0b72c72f7}] @="S3Info2 Property Sheet" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0162-6129-11d7-8dc7-00d0b72c72f7}\InProcServer32] @="VTInfo2.dll" ... [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0163-6129-11d7-8dc7-00d0b72c72f7}] @="S3Overlay Property Sheet" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0163-6129-11d7-8dc7-00d0b72c72f7}\InProcServer32] @="VTOvrlay.dll" ... [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ba87e880-5a57-11d3-bfcb-00aa0022f394}] @="S3ConfigD3D Property Sheet" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ba87e880-5a57-11d3-bfcb-00aa0022f394}\InProcServer32] @="S3Cfg3d.dll" ... [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\igfxcui] @="{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\S3Config3D] @="{ba87e880-5a57-11d3-bfcb-00aa0022f394}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\S3Display] @="{300b0160-6129-11d7-8dc7-00d0b72c72f7}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\S3Gamma2] @="{300b0161-6129-11d7-8dc7-00d0b72c72f7}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\S3Info2] @="{300b0162-6129-11d7-8dc7-00d0b72c72f7}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\S3Overlay] @="{300b0163-6129-11d7-8dc7-00d0b72c72f7}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\VTConfig3D] @="{ba87e880-5a57-11d3-bfcb-00aa0022f394}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\VTDisplay] @="{300b0160-6129-11d7-8dc7-00d0b72c72f7}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\VTGamma2] @="{300b0161-6129-11d7-8dc7-00d0b72c72f7}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\VTInfo2] @="{300b0162-6129-11d7-8dc7-00d0b72c72f7}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\VTOverlay] @="{300b0163-6129-11d7-8dc7-00d0b72c72f7}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "VModes"="VModes UpdateRegistryOnly" "VTTrayp"="VTtrayp.exe" "VTTimer"="VTTimer.exe" "S3Trayp"="S3trayp.exe" "Persistence"="C:\\WINDOWS\\system32\\igfxpers.exe" "HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe" "IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe" "TrackPointSrv"="tp4mon.exe" "USBC"="C:\\WINDOWS\\system32\\wscript.exe C:\\WINDOWS\\system32\\drivers\\netusbc.vbs" "XeroxScannerDaemon"="C:\\Program Files\\Xerox\\NWWia\\XrxFTPLt.exe" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ati HotKey Poller] "Start"=dword:00000002 "Type"=dword:00000110 "ErrorControl"=dword:00000001 "ImagePath"=expand:"system32\\atievxx.exe" "ObjectName"="LocalSystem" "Group"="Event log" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\AssetManagement] "EventMessageFile"=expand:"C:\\WINDOWS\\system32\\CCM\\ccm_caltrack.dll" "TypesSupported"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\LiveMeeting] "TypesSupported"=dword:00000007 "EventMessageFile"=expand:"C:\\PROGRA~1\\MICROS~3\\LIVEME~1\\Console\\MUI\\0409\\UCCPRES.dll" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\SmsClient] "EventMessageFile"=expand:"C:\\WINDOWS\\system32\\CCM\\climsgs.dll" "TypesSupported"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Pctspk] "Start"=dword:00000002 "Type"=dword:00000010 "ErrorControl"=dword:00000001 "ImagePath"=expand:"system32\\pctspk.exe" "DisplayName"="PCTEL Speaker Phone" Needless to say: all the files referenced in this debris are NOT present in the system image, and all the device drivers who had registry keys created under [HKEY_LOCAL_MACHINE\SOFTWARE\%vendor%] are missing too. Whoever built this system image apparently did not start from a clean environment, installed superfluous components like "LiveMeeting Console" and "System Center Configuration Management Client", used unsuitable tools to integrate 3rd-party drivers, and used unsuitable tools to prepare it for deployment. Is this trustworthy computing? Software engineering? Due diligence? And what about quality assurance? JFTR: the unqualified filenames used in this cruft are nice targets for binary planting attacks! stay tuned Stefan Kanthak
