Hi @ll,
"C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe",
part of Apple's iCloudServices (see <https://www.apple.com/icloud/
configured to be started as (COM) server via SvcHost.Exe.
Unfortunately the developers of this (COM) server (and of course their QA
too) did a lousy job and let their installer create the following erroneous
registry entries with a command line that contains an unquoted pathname:
[HKEY_CLASSES_ROOT\CLSID\{
@="C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudServices.exe"
[HKEY_CLASSES_ROOT\CLSID\{
@="C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudServices.exe"
The unquoted pathname results in the execution of one of the rogue programs
"C:\Program.exe", "C:\Program Files\Common.exe" or
"C:\Program Files\Common Files\Apple\Internet.exe" (on x86) resp.
"C:\Program.exe", "C:\Program Files.exe", "C:\Program Files (x86)\Common.exe"
or "C:\Program Files (x86)\Common Files\Apple\Internet.exe" (on x64) with
the rights of the logged on user.
JFTR: the other 3 registry entries created for this COM server dont show
this beginners error and have the pathname properly quoted:
[HKEY_CLASSES_ROOT\CLSID\{
@="\"C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudServices.exe\"
[HKEY_CLASSES_ROOT\CLSID\{
@="\"C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudServices.exe\"
[HKEY_CLASSES_ROOT\CLSID\{
@="\"C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudServices.exe\"
Since every user account created during Windows setup has administrative
rights every user owning such an account can create the rogue program(s),
resulting in a privilege escalation.
JFTR: no, the "user account control" is not a security boundary!
From <http://support.microsoft.com/
| Same-desktop Elevation in UAC is not a security boundary and can be hijacked
| by unprivileged software that runs on the same desktop. Same-desktop
| Elevation should be considered a convenience feature, and from a security
| perspective, "Protected Administrator" should be considered the equivalent
| of "Administrator."
JFTR: iCloudServices ships with even older outdated and vulnerable 3rd party
(open source) libraries than iTunes, see
<http://seclists.org/
- libxslt.dll 1.0.9.0
- libxml2.dll 2.1.13.0
- icuuc40.dll, icuin40.dll, icudt46.dll. libicuin.dll, libicuuc.dll 4.6.1.0
regards
Stefan Kanthak
PS: the obvious and trivial fix: edit the 2 erroneous command lines and
add the missing quotes. But dont forget to fix them after every update
of Apple's crap for Windows.
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
"C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe",
part of Apple's iCloudServices (see <https://www.apple.com/icloud/
configured to be started as (COM) server via SvcHost.Exe.
Unfortunately the developers of this (COM) server (and of course their QA
too) did a lousy job and let their installer create the following erroneous
registry entries with a command line that contains an unquoted pathname:
[HKEY_CLASSES_ROOT\CLSID\{
@="C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudServices.exe"
[HKEY_CLASSES_ROOT\CLSID\{
@="C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudServices.exe"
The unquoted pathname results in the execution of one of the rogue programs
"C:\Program.exe", "C:\Program Files\Common.exe" or
"C:\Program Files\Common Files\Apple\Internet.exe" (on x86) resp.
"C:\Program.exe", "C:\Program Files.exe", "C:\Program Files (x86)\Common.exe"
or "C:\Program Files (x86)\Common Files\Apple\Internet.exe" (on x64) with
the rights of the logged on user.
JFTR: the other 3 registry entries created for this COM server dont show
this beginners error and have the pathname properly quoted:
[HKEY_CLASSES_ROOT\CLSID\{
@="\"C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudServices.exe\"
[HKEY_CLASSES_ROOT\CLSID\{
@="\"C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudServices.exe\"
[HKEY_CLASSES_ROOT\CLSID\{
@="\"C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudServices.exe\"
Since every user account created during Windows setup has administrative
rights every user owning such an account can create the rogue program(s),
resulting in a privilege escalation.
JFTR: no, the "user account control" is not a security boundary!
From <http://support.microsoft.com/
| Same-desktop Elevation in UAC is not a security boundary and can be hijacked
| by unprivileged software that runs on the same desktop. Same-desktop
| Elevation should be considered a convenience feature, and from a security
| perspective, "Protected Administrator" should be considered the equivalent
| of "Administrator."
JFTR: iCloudServices ships with even older outdated and vulnerable 3rd party
(open source) libraries than iTunes, see
<http://seclists.org/
- libxslt.dll 1.0.9.0
- libxml2.dll 2.1.13.0
- icuuc40.dll, icuin40.dll, icudt46.dll. libicuin.dll, libicuuc.dll 4.6.1.0
regards
Stefan Kanthak
PS: the obvious and trivial fix: edit the 2 erroneous command lines and
add the missing quotes. But dont forget to fix them after every update
of Apple's crap for Windows.
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information