Hi @ll, on a multitude of machines running Windows Embedded POSReady 2009, "automatic updates" show the well-known and never resolved bug which lets the Windows Update Agent occupy one core (good luck if your CPU has some of them and can afford to sacrifice one.-) for DAYS at 100% load! This nasty behaviour is documented for example in the MSKB articles <https://support.microsoft.com/en-us/help/3102810> and <https://support.microsoft.com/en-us/help/3102812>. This bug has a rather LOOONG tradition; see for example <https://blogs.technet.microsoft.com/asiasupp/2007/05/29/automatic-update-causes-svchost-exe-high-cpu/>. But this bug is NOT subject of this post -- the story only starts there... Since I've dealt with this bug quite some times in the past decade I know how to overcome it (see for example <https://skanthak.homepage.t-online.de/slipstream.html>): 1. manually fetch the latest cumulative update for Internet Explorer, 2. install it, 3. then reboot and let "automatic updates" perform their duty again. Step 1 was simple: 1.a) start the web browser and enter the URL <https://www.catalog.update.microsoft.com/Search.aspx?q=posready+2009>, 1.b) sort the updates by date, 1.c) find the latest cumulative update for IE, 1.d) then download the executable installer offered for your language. This left me with the file ie8-windowsxp-kb4343205-x86-embedded-deu_fd52c3ee749c7d21e0c8da6d9acb203607e25da4.exe in my "Downloads" folder "C:\Dokumente und Einstellungen\Administrator\Downloads" Since ALL downloads in the "Microsoft Update Catalog" are offered over INSECURE HTTP: (see <http://seclists.org/fulldisclosure/2018/Feb/43>) I checked the integrity of the downloaded executable: C:\Dokumente und Einstellungen\Administrator\Downloads>CertUtil.exe /V /HashFile ie8-windowsxp-kb4343205-x86-embedded-deu_fd52c3ee749c7d21e0c8da6d9acb203607e25da4.exe SHA-1-Hash der Datei ie8-windowsxp-kb4343205-x86-embedded-deu_fd52c3ee749c7d21e0c8da6d9acb203607e25da4.exe: fd 52 c3 ee 74 9c 7d 21 e0 c8 da 6d 9a cb 20 36 07 e2 5d a4 CertUtil: -hashfile-Befehl wurde erfolgreich ausgeführt. Good, the SHA1 hash matches the filename (this was shown over the secure HTTPS: connection to the Microsoft Update Catalog itself). Right-click->Properties:"Digital signatures", then double-click on the signature also yields "valid". Good, lets proceed with step 2: install the downloaded update. 2.a) a double-click on ie8-windowsxp-kb4343205-x86-embedded-deu_fd52c3ee749c7d21e0c8da6d9acb203607e25da4.exe presented TWO error message boxes with the following text: | ie8-windowsxp-kb4343205-x86-embedded-deu_fd52c3ee749c7d21e0c8da6d9acb203607e25da4.exe - Auslagerungsdatei konnte nicht erstellt werden | | (X) Exception Processing Message c0000145 Parameters c0000005 75b0bf7c 75b0bf7c 75b0bf7c | | [ OK ] OUCH! JFTR: you'll see this GIBBERISH on ALL NON-english editions of Windows Embedded POSReady 2009 (and Windows XP too)! For the description and demonstration of this bug in NTDLL.dll, start reading <https://skanthak.homepage.t-online.de/fubar.html> Since I know this bug in NTDLL.dll since quite some time, I know that the "correct" error message box should have been | ie8-windowsxp-kb4343205-x86-embedded-deu_fd52c3ee749c7d21e0c8da6d9acb203607e25da4.exe - Fehler in Anwendung | | (X) Die Anwendung konnte nicht richtig initialisiert werden (0xc0000005). | Klicken Sie auf "OK", um die Anwendung zu beenden. | | [ OK ] 2.b) on english editions of Windows Embedded POSReady 2009, execution of ie8-windowsxp-kb4343205-x86-embedded-enu_5cc2246031bd0a949785f6f1799610bff163224b.exe yields the error message box | ie8-windowsxp-kb4343205-x86-embedded-enu_5cc2246031bd0a949785f6f1799610bff163224b.exe - Application Error | | (X) The application failed to initialize properly (0xc0000005). | Click OK to terminate the application. | | [ OK ] That's an "access violation" during process initialisation. 2.c) Let's run the application under the debugger: C:\Dokumente und Einstellungen\Administrator\Downloads>NTSD.exe ie8-windowsxp-kb4343205-x86-embedded-deu_fd52c3ee749c7d21e0c8da6d9acb203607e25da4.exe Microsoft (R) Windows User-Mode Debugger Version 5.1.2600.0 Copyright (c) Microsoft Corporation. All rights reserved. CommandLine: "C:\Dokumente und Einstellungen\Administrator\Downloads\ie8-windowsxp-kb4343205-x86-embedded-deu_fd52c3ee749c7d21e0c8da6d9acb203607e25da4.exe" Loaded dbghelp extension DLL Loaded exts extension DLL Loaded ntsdexts extension DLL Symbol search path is: SymSrv*SYMSRV.DLL*C:\WINDOWS\Symbols*http://msdl.microsoft.com/download/symbols/Executable search path is: ModLoad: 01000000 01020000 sfxcab.exe ModLoad: 7c910000 7c9ca000 ntdll.dll ModLoad: 7c800000 7c909000 C:\WINDOWS\System32\kernel32.dll ModLoad: 77be0000 77c38000 C:\WINDOWS\System32\msvcrt.dll ModLoad: 77da0000 77e4a000 C:\WINDOWS\System32\ADVAPI32.dll ModLoad: 77e50000 77ee3000 C:\WINDOWS\System32\RPCRT4.dll ModLoad: 77fc0000 77fd1000 C:\WINDOWS\System32\Secur32.dll ModLoad: 7e360000 7e3f1000 C:\WINDOWS\System32\USER32.dll ModLoad: 77ef0000 77f3a000 C:\WINDOWS\System32\GDI32.dll ModLoad: 5d450000 5d4ea000 C:\WINDOWS\System32\COMCTL32.dll ModLoad: 7e670000 7ee92000 C:\WINDOWS\System32\SHELL32.dll ModLoad: 77f40000 77fb7000 C:\WINDOWS\System32\SHLWAPI.dll Break instruction exception - code 80000003 (first chance) eax=00181eb4 ebx=7ffd9000 ecx=00000007 edx=00000080 esi=00181f48 edi=00181eb4 eip=7c91120e esp=0006fb20 ebp=0006fc94 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 ntdll!DbgBreakPoint: 7c91120e cc int 3 0:000> g HEAP[ie8-windowsxp-kb4343205-x86-embedded-deu_fd52c3ee749c7d21e0c8da6d9acb203607e25da4.exe]: Heap block at 0008AC58 modified at 0008AE08 past requested size of 1a8 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Break instruction exception - code 80000003 (first chance) eax=0008ac58 ebx=0008ae08 ecx=7c92f927 edx=0006e182 esi=0008ac58 edi=000001a8 eip=7c91120e esp=0006e384 ebp=0006e388 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 ntdll!DbgBreakPoint: 7c91120e cc int 3 0:000> g HEAP[ie8-windowsxp-kb4343205-x86-embedded-deu_fd52c3ee749c7d21e0c8da6d9acb203607e25da4.exe]: Invalid Address specified to RtlFreeHeap( 00080000, 0008AC60 ) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Break instruction exception - code 80000003 (first chance) eax=0008ac58 ebx=0008ac58 ecx=7c92f927 edx=0006e192 esi=00080000 edi=0008ac58 eip=7c91120e esp=0006e39c ebp=0006e3a0 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 ntdll!DbgBreakPoint: 7c91120e cc int 3 0:000> g Access violation - code c0000005 (first chance) eax=0008ae20 ebx=007d0032 ecx=00080210 edx=00000000 esi=0008ae18 edi=00300033 eip=7c92afa0 esp=0006e0f0 ebp=0006e30c iopl=0 nv up ei pl nz ac po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216 ntdll!RtlAcquireResourceExclusive+5e1: 7c92afa0 8b0b mov ecx,[ebx] ds:0023:007d0032=???????? 0:000> gn HEAP[ie8-windowsxp-kb4343205-x86-embedded-deu_fd52c3ee749c7d21e0c8da6d9acb203607e25da4.exe]: Heap missing last entry in committed range near 8ae18 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Break instruction exception - code 80000003 (first chance) eax=0008ae18 ebx=00080640 ecx=7c92f927 edx=0006e559 esi=00080588 edi=0008b148 eip=7c91120e esp=0006e764 ebp=0006e768 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 ntdll!DbgBreakPoint: 7c91120e cc int 3 0:000> gn Access violation - code c0000005 (first chance) eax=0008ae20 ebx=007d0032 ecx=000801b0 edx=00000000 esi=0008ae18 edi=00300033 eip=7c92afa0 esp=0006eb64 ebp=0006ed80 iopl=0 nv up ei pl nz ac po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216 ntdll!RtlAcquireResourceExclusive+5e1: 7c92afa0 8b0b mov ecx,[ebx] ds:0023:007d0032=???????? 0:000> gn Access violation - code c0000005 (first chance) eax=00000010 ebx=7ffdf000 ecx=00000100 edx=00000190 esi=77f350e0 edi=01900010 eip=77ef64f1 esp=0006f2f8 ebp=0006f300 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 GDI32!GdiValidateHandle+75: 77ef64f1 38410a cmp [ecx+0xa],al ds:0023:0000010a=?? 0:000> gn Access violation - code c0000005 (first chance) eax=0006fc54 ebx=00000000 ecx=0006fca8 edx=7c91e514 esi=c0000005 edi=00000000 eip=7c977a96 esp=0006fc54 ebp=0006fca4 iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 ntdll!RtlRaiseStatus+26: 7c977a96 c9 leave 0:000> q NICE! That looks like a buffer overrun on the heap, and the corrupted data then yields the "access violation". 2.d) Let's see if I can cure it: C:\Documents and Settings\Administrator\Downloads>RENAME ie8-windowsxp-kb4343205-x86-embedded-deu_fd52c3ee749c7d21e0c8da6d9acb203607e25da4.exe ie8-windowsxp-kb4343205-x86-embedded-deu.exe C:\Documents and Settings\Administrator\Downloads>ie8-windowsxp-kb4343205-x86-embedded-deu.exe The buffer overrun is gone, the update installs! If only someone had told the wise guys at Microsoft that MAX_PATH is 260 characters, and that buffers have to be checked for overruns! What happened to the "trustworthy computing" initiative? 2.e) But WAIT, it's not over yet: C:\Dokumente und Einstellungen\Administrator\Downloads>ie8-windowsxp-kb4343205-x86-embedded-deu.exe /X The /X option extracts the payload into an arbitrary directory; the default is the current directory, i.e. "C:\Dokumente und Einstellungen\Administrator\Downloads" This yields the error message box | Dekomprimierung fehlgeschlagen | | (X) Datei ist beschädigt | | [ OK ] WTF? The file is supposed to be corrupt? It but installed successful, its checksums are correct! JFTR: without the /X option, the executable self-extractor SFXCAB creates a directory with a random, up to 32 characters "short" name in the root directory of the drive with the most free space. 2.f) Let's see whether this error can be cured too by using a shorter path: C:\Dokumente und Einstellungen\Administrator\Downloads>ie8-windowsxp-kb4343205-x86-embedded-deu.exe /X C:\Windows\Temp SUCCESS! | Dekomprimierung abgeschlossen | ^ | /!\ Dekomprimierung abgeschlossen | ¯¯¯ | [ OK ] C:\Dokumente und Einstellungen\Administrator\Downloads>dir C:\Windows\Temp Volume in Laufwerk C: hat keine Bezeichnung. Volumeseriennummer: 8CDE-6034 Verzeichnis von C:\Windows\Temp 01.09.2018 23:18 <DIR> . 01.09.2018 23:18 <DIR> .. 01.09.2018 23:18 <DIR> SP3QFE 01.09.2018 23:18 <DIR> update 01.02.2018 23:28 18.808 spmsg.dll 01.02.2018 23:28 234.872 spuninst.exe 2 Datei(en) 253.680 Bytes 4 Verzeichnis(se), 8.396.988.416 Bytes frei stay tuned Stefan Kanthak PS: for the other bugs and vulnerabilities in Microsoft's SFXCAB see <http://seclists.org/fulldisclosure/2016/Jan/48> and/or <http://seclists.org/fulldisclosure/2018/Jul/72>
