[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Beginners error: Apple's iCloudServices for Windows run rogue program C:\Program.exe (and some more)

Hi @ll,

"C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe",
part of Apple's iCloudServices (see <https://www.apple.com/icloud/>), is
configured to be started as (COM) server via SvcHost.Exe.

Unfortunately the developers of this (COM) server (and of course their QA
too) did a lousy job and let their installer create the following erroneous
registry entries with a command line that contains an unquoted pathname:

@="C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudServices.exe"

@="C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudServices.exe"

The unquoted pathname results in the execution of one of the rogue programs
"C:\Program.exe", "C:\Program Files\Common.exe" or
"C:\Program Files\Common Files\Apple\Internet.exe" (on x86) resp.
"C:\Program.exe", "C:\Program Files.exe", "C:\Program Files (x86)\Common.exe"
or "C:\Program Files (x86)\Common Files\Apple\Internet.exe" (on x64) with
the rights of the logged on user.

JFTR: the other 3 registry entries created for this COM server dont show
      this beginners error and have the pathname properly quoted:

@="\"C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudServices.exe\""

@="\"C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudServices.exe\""

@="\"C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudServices.exe\""

Since every user account created during Windows setup has administrative
rights every user owning such an account can create the rogue program(s),
resulting in a privilege escalation.

JFTR: no, the "user account control" is not a security boundary!

      From <http://support.microsoft.com/kb/2526083>:

| Same-desktop Elevation in UAC is not a security boundary and can be hijacked
| by unprivileged software that runs on the same desktop. Same-desktop
| Elevation should be considered a convenience feature, and from a security
| perspective, "Protected Administrator" should be considered the equivalent
| of "Administrator."

JFTR: iCloudServices ships with even older outdated and vulnerable 3rd party
       (open source) libraries than iTunes, see

      - libxslt.dll
      - libxml2.dll
      - icuuc40.dll, icuin40.dll, icudt46.dll. libicuin.dll, libicuuc.dll

Stefan Kanthak

PS: the obvious and trivial fix: edit the 2 erroneous command lines and
    add the missing quotes. But dont forget to fix them after every update
    of Apple's crap for Windows.