exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft POSReady 2009 Eval CD Remnants

Microsoft POSReady 2009 Eval CD Remnants
Posted Mar 4, 2012
Authored by Stefan Kanthak

The POSReady 2009 eval CD from Microsoft Download Center appears to show remnants of having been built on a system that may have been infested with malware.

tags | advisory
SHA-256 | 98574b9c4e7396b432dee4fec8355515fa5bbf580d0c13b2c6b422247bf2f5c7

Microsoft POSReady 2009 Eval CD Remnants

Change Mirror Download
Hi @ll,

the system image "\Setup\WIM\setup.wim" on the "POSReady 2009 eval CD",
available from the Microsoft Download Center under
<http://www.microsoft.com/downloads/en/details.aspx?FamilyID=1e077ece-3f19-4c41-b219-6fcc821fb5fc>,
contains the following registry entries:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SSOExec]
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Logoff"="SSOReset"
"Unlock"="SSOExec"
"Lock"="SSOReset"
"DLLName"="%windir%\\temp\\sso\\ssoexec.dll"


The directory "%windir%\temp" in the system image is but empty.


The presence of these registry entries is evidence that (one of) the
system(s) used to build and capture the POSReady 2009 evaluation system
image were infested with malware, and that either the infestation was not
detected at all (bad) or the infestation was detected, but incompletely
(or accidentially, when "%windir%\temp" was cleared) "removed" and a
compromised system used to build the system image (worse).

JFTR: MSFT initiated their "trustworthy computing" about 10 years ago!


To complete the picture: the ACLs on the directory "%windir%\temp" in
systems installed from this image/CD allow unprivileged users to create
a subdirectory "sso" in "%windir%\temp" and then the "ssoexec.dll",
allowing them to have their code run under every (other) user account
used to log on afterwards, resulting in a privilege escalation.


Timeline
~~~~~~~~

2012-02-03 informed vendor

2012-02-03 vendor replies:
"The registry key and DLL are part of the Windows embedded
software package and their existence is expected."

.oO(OUCH! they must be joking...)

2012-02-04 informed vendor that SSOEXEC.DLL is NOT part of any Windows
software package

2012-02-06 vendor replies:
"we are still looking and hope to provide clarification soon."

2012-02-06 vendor replies:
"this reference in no way indicates there is or ever was a
virus on our build systems."

2012-02-08 asked vendor to consider that both
<http://www.bing.com/search?q=ssoexec> and
<https://encrypted.google.com/search?num=100&safe=off&q=%22ssoexec%22+OR+%22ssoreset%22>
only find hits that show problems with malware

2012-03-04 no more answer from vendor, report published


Stefan Kanthak

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close