Information Security all in one place!

POSReady 2009 eval Images: Infested with Malware?

POSReady 2009 is a flexible operating system designed to seamlessly connect point-of-service solutions with peripherals, servers, services, and malware?

The system image “\Setup\WIM\setup.wim” on the “POSReady 2009 eval CD“, available from the Microsoft Download Center under http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=11196 or here http://www.microsoft.com/downloads/en/details.aspx?FamilyID=1e077ece-3f19-4c41-b219-6fcc821fb5fc contains the following registry entries:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SSOExec]
“Asynchronous”=dword:00000001
“Impersonate”=dword:00000001
“Logoff”=”SSOReset”
“Unlock”=”SSOExec”
“Lock”=”SSOReset”
“DLLName”=”%windir%\\\temp\\sso\\ssoexec.dll”

The directory “%windir%\temp” in the system image is present but empty.

The presence of these registry entries is evidence that (one of) the system(s) used to build and capture the POSReady 2009 evaluation system image were infested with malware, and that either the infestation was not detected at all (bad) or the infestation was detected, but incompletely (or accidentially, when “%windir%\temp” was cleared) “removed” and a compromised system used to build the system image (worse).

To complete the picture: the ACLs on the directory “%windir%\temp” in systems installed from this image/CD allow unprivileged users to create a subdirectory “sso” in “%windir%\temp” and then the “ssoexec.dll”, allowing them to have their code run under every (other) user account used to log on afterwards, resulting in a privilege escalation.

This has been brought to the vendors (Microsoft) attention in the following manner. – Stefan Kanthak

Timeline
~~~~~~~~

English: M in blue square (similar to seen on )
2012-02-03    informed vendor

2012-02-03    vendor replies:
“The registry key and DLL are part of the Windows embedded
software package and their existence is expected.”

.oO(OUCH! they must be joking…)

2012-02-04    informed vendor that SSOEXEC.DLL is NOT part of any Windows
software package

2012-02-06    vendor replies:
“we are still looking and hope to provide clarification soon.”

2012-02-06    vendor replies:
“this reference in no way indicates there is or ever was a
virus on our build systems.”

2012-02-08    asked vendor to consider that both
<http://www.bing.com/search?q=ssoexec> and
<https://encrypted.google.com/search?num=100&safe=off&q=%22ssoexec%22+OR+%22ssoreset%22>
only find hits that show problems with malware

2012-03-04    no more answer from vendor, report published

Advertisements

Let's hear what you have to say.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s