Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Vulnerabilities in Windows 8 Professional x64 factory preinstallation of Fujitsu Lifebook A512 [continued]
From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Thu, 9 May 2013 01:03:16 +0200

On Sunday, May 05, 2013 10:13 PM I wrote:

Hi @ll,

Fujitsus <http://www.fsc-pc.de/> factory preinstallation (as
found on a Fujitsu Lifebook A512 purchased a month ago) of
Windows 8 Professional x64 (I'm VERY confident that other
variants of Fujitsu's Windows 8 factory installation are just
the like) has the following vulnerabilities which can lead to
code execution in the context of the LocalSystem account.


A. Command lines with unquoted paths containing spaces:

[...]

and missed some more REALLY nice vulnerabilities (just like the one
Microsoft fixed with <https://support.microsoft.com/kb/2781197>
alias <http://technet.microsoft.com/security/bulletin/ms13-034>,
which of course is present too).


A.6: TWO vulnerabilities in the preinstalled services from Fujitsu:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PFNService]
"ImagePath"=expand:"C:\\Program Files\\Fujitsu\\Plugfree NETWORK\\PFNService.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PowerSavingUtilityService]
"ImagePath"=expand:"C:\\Program Files\\Fujitsu\\PSUtility\\PSUService.exe"


A.7: SIX vulnerabilities in the preinstalled services from Intel:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AMPPALR3]
"ImagePath"=expand:"C:\\Program Files\\Intel\\BluetoothHS\\BTHSAmpPalService.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EvtEng]
"ImagePath"=expand:"C:\\Program Files\\Intel\\WiFi\\bin\\EvtEng.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jhi_service]
"ImagePath"=expand:"C:\\Program Files (x86)\\Intel\\Intel(R) Management Engine Components\\DAL\\jhi_service.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LMS]
"ImagePath"=expand:"C:\\Program Files (x86)\\Intel\\Intel(R) Management Engine Components\\LMS\\LMS.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MyWiFiDHCPDNS]
"ImagePath"=expand:"C:\\Program Files\\Intel\WiFi\\bin\\PanDhcpDns.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RegSrvc]
"ImagePath"=expand:"C:\\Program Files\\Common Files\\Intel\\WirelessCommon\RegSrvc.exe"


JFTR: two other services of Intel don't show this vulnerability!

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHSSecurityMgr]
"ImagePath"=expand:"""C:\\Program Files\\Intel\\BluetoothHS\\BTHSSecurityMgr.exe"""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UNS]
"ImagePath"=expand:"""C:\\Program Files (x86)\\Intel\\Intel(R) Management Engine Components\\UNS\\UNS.exe"""


Stefan Kanthak

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault