The WHQL-signed(!) Synaptics touchpad driver delivered via Windows Update
executes a rogue program C:\Program.exe with system privileges after its
installation.
The observed offending command line is
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe /NT /I
According to Microsofts security response team the vulnerable driver was
pulled from Windows Update.
Unfortunately (or should I write: of course) the drivers offered on
Synaptics web site have this silly bug too!
regards
Stefan Kanthak
stefan.kanthak@nexgo.de
PS: the following lines of the SYNPD.INF show the same silly bug:
| HKLM,Software\Microsoft\Windows\CurrentVersion\Run,SynTPEnh,0,"%16422%\%targetdir%\SynTPEnh.exe"
| HKLM,Software\Microsoft\Windows\CurrentVersion\Run,SynTPEnh,0x00020000,"%ProgramFiles%\%targetdir%\SynTPEnh.exe"
| HKR,Software\Synaptics\SynTPPlugIns\SynTP,Start,0x00020000,"%ProgramFiles%\%targetdir%\SynTPEnh /RegPlugIn"
| HKR,Software\Synaptics\SynTPEnh\PopupConfig,Pressure Graph,0x00020000,"%ProgramFiles%\%targetdir%\SynZMetr.exe"
| HKR,Software\Synaptics\SynTPEnh\PopupConfig,MoodPad,0x00020000,"%ProgramFiles%\%targetdir%\SynMood.exe"
|
HKR,Software\Synaptics\SynTPEnh\PlugInConfig\Defaults\2FingerGestures,ConfigID2RunApp,0x00020000,"%ProgramFiles%\%targetdir%\SynMood
.exe"
| HKR,Software\Synaptics\SynTPCpl,PracticeExe,0x00020000,"%ProgramFiles%\%targetdir%\Tutorial.exe"
| HKR,SOFTWARE\Synaptics\SynTPCpl\Controls\1Multifinger Gestures\1Two-Finger
Scrolling\Dialog\7Practice,ActionPath,0x00020000,"%ProgramFiles%\%targetdir%\Tutorial.exe"
|
HKR,SOFTWARE\Synaptics\SynTPCpl\Controls\2Scrolling\Dialog\94Practice,ActionPath,0x00020000,"%ProgramFiles%\%targetdir%\Tutorial.exe
"
It's a shame that developers still dont know how to handle
filenames containing spaces properly: you had 20 years time
to learn that! And of course their QA hat the same time!
Take a look at <http://support.microsoft.com/kb/2647300/de> and
notice the screenshot of REGEDIT.EXE showing the contents of the
registry key
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
OUCH!
Timeline
~~~~~~~~
2014-04-09 sent vulnerability report to Microsoft
2014-04-10 Microsoft asks for more log files
2014-04-10 sent log files to Microsoft
2014-04-11 MSRC 18931 case opened
2014-04-15 sent notice regarding MSKB 2647300
2014-05-08 Microsoft acknowledges vulnerability and pulls driver
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise.Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
executes a rogue program C:\Program.exe with system privileges after its
installation.
The observed offending command line is
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe /NT /I
According to Microsofts security response team the vulnerable driver was
pulled from Windows Update.
Unfortunately (or should I write: of course) the drivers offered on
Synaptics web site have this silly bug too!
regards
Stefan Kanthak
stefan.kanthak@nexgo.de
PS: the following lines of the SYNPD.INF show the same silly bug:
| HKLM,Software\Microsoft\Windows\CurrentVersion\Run,SynTPEnh,0,"%16422%\%targetdir%\SynTPEnh.exe"
| HKLM,Software\Microsoft\Windows\CurrentVersion\Run,SynTPEnh,0x00020000,"%ProgramFiles%\%targetdir%\SynTPEnh.exe"
| HKR,Software\Synaptics\SynTPPlugIns\SynTP,Start,0x00020000,"%ProgramFiles%\%targetdir%\SynTPEnh /RegPlugIn"
| HKR,Software\Synaptics\SynTPEnh\PopupConfig,Pressure Graph,0x00020000,"%ProgramFiles%\%targetdir%\SynZMetr.exe"
| HKR,Software\Synaptics\SynTPEnh\PopupConfig,MoodPad,0x00020000,"%ProgramFiles%\%targetdir%\SynMood.exe"
|
HKR,Software\Synaptics\SynTPEnh\PlugInConfig\Defaults\2FingerGestures,ConfigID2RunApp,0x00020000,"%ProgramFiles%\%targetdir%\SynMood
.exe"
| HKR,Software\Synaptics\SynTPCpl,PracticeExe,0x00020000,"%ProgramFiles%\%targetdir%\Tutorial.exe"
| HKR,SOFTWARE\Synaptics\SynTPCpl\Controls\1Multifinger Gestures\1Two-Finger
Scrolling\Dialog\7Practice,ActionPath,0x00020000,"%ProgramFiles%\%targetdir%\Tutorial.exe"
|
HKR,SOFTWARE\Synaptics\SynTPCpl\Controls\2Scrolling\Dialog\94Practice,ActionPath,0x00020000,"%ProgramFiles%\%targetdir%\Tutorial.exe
"
It's a shame that developers still dont know how to handle
filenames containing spaces properly: you had 20 years time
to learn that! And of course their QA hat the same time!
Take a look at <http://support.microsoft.com/kb/2647300/de> and
notice the screenshot of REGEDIT.EXE showing the contents of the
registry key
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
OUCH!
Timeline
~~~~~~~~
2014-04-09 sent vulnerability report to Microsoft
2014-04-10 Microsoft asks for more log files
2014-04-10 sent log files to Microsoft
2014-04-11 MSRC 18931 case opened
2014-04-15 sent notice regarding MSKB 2647300
2014-05-08 Microsoft acknowledges vulnerability and pulls driver
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise.Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information