WHQL-signed Synaptics Touchpad Driver Rogue Program Execution

2014.05.09
Credit: Stefan Kanthak
Risk: Low
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

Hi @ll, the WHQL-signed(!) Synaptics touchpad driver delivered via Windows Update executes a rogue program C:\Program.exe with system privileges after its installation. The observed offending command line is C:\Program Files\Synaptics\SynTP\SynTPEnh.exe /NT /I According to Microsofts security response team the vulnerable driver was pulled from Windows Update. Unfortunately (or should I write: of course) the drivers offered on Synaptics web site have this silly bug too! regards Stefan Kanthak PS: the following lines of the SYNPD.INF show the same silly bug: | HKLM,Software\Microsoft\Windows\CurrentVersion\Run,SynTPEnh,0,"%16422%\%targetdir%\SynTPEnh.exe" | HKLM,Software\Microsoft\Windows\CurrentVersion\Run,SynTPEnh,0x00020000,"%ProgramFiles%\%targetdir%\SynTPEnh.exe" | HKR,Software\Synaptics\SynTPPlugIns\SynTP,Start,0x00020000,"%ProgramFiles%\%targetdir%\SynTPEnh /RegPlugIn" | HKR,Software\Synaptics\SynTPEnh\PopupConfig,Pressure Graph,0x00020000,"%ProgramFiles%\%targetdir%\SynZMetr.exe" | HKR,Software\Synaptics\SynTPEnh\PopupConfig,MoodPad,0x00020000,"%ProgramFiles%\%targetdir%\SynMood.exe" | HKR,Software\Synaptics\SynTPEnh\PlugInConfig\Defaults\2FingerGestures,ConfigID2RunApp,0x00020000,"%ProgramFiles%\%targetdir%\SynMood .exe" | HKR,Software\Synaptics\SynTPCpl,PracticeExe,0x00020000,"%ProgramFiles%\%targetdir%\Tutorial.exe" | HKR,SOFTWARE\Synaptics\SynTPCpl\Controls\1Multifinger Gestures\1Two-Finger Scrolling\Dialog\7Practice,ActionPath,0x00020000,"%ProgramFiles%\%targetdir%\Tutorial.exe" | HKR,SOFTWARE\Synaptics\SynTPCpl\Controls\2Scrolling\Dialog\94Practice,ActionPath,0x00020000,"%ProgramFiles%\%targetdir%\Tutorial.exe " It's a shame that developers still dont know how to handle filenames containing spaces properly: you had 20 years time to learn that! And of course their QA hat the same time! Take a look at <http://support.microsoft.com/kb/2647300/de> and notice the screenshot of REGEDIT.EXE showing the contents of the registry key [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] OUCH! Timeline ~~~~~~~~ 2014-04-09 sent vulnerability report to Microsoft 2014-04-10 Microsoft asks for more log files 2014-04-10 sent log files to Microsoft 2014-04-11 MSRC 18931 case opened 2014-04-15 sent notice regarding MSKB 2647300 2014-05-08 Microsoft acknowledges vulnerability and pulls driver


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top