S-1-1-0 – Update
According to the company, this is not a security issue. I reserve – and
exercise – my right to disagree, but I’m not a security researcher.
They say that:
-
The global write permissions on the firmware files (they are
firmware files) is
- necessary to enable successful updates, and
- not a problem because the PC software does not interpret them
when feeding them to the reader, and the reader will reject
manipulated files due to invalid signatures.
-
The registry permissions are necessary for interoperability between
components on the same system.
Finally, they say their software and devices are getting tested not
only by them, but also by the IT security people of the companies
using the things, and if no one complains, everything must be fine.
Very well then; if they won’t fix their bugs, I can only do work
around them in my own environment.
S-1-1-0
From the installation log of the driver for a REINER SCT smart card reader:
Executing Process <C:\Program Files (x86)\REINER SCT\cyberJack\subinacl.exe> with </subdirectories "C:\ProgramData\REINER SCT\*" /grant="S-1-1-0"=F>
Um. Come again? S-1-1-0 is Everyone.
C:\ProgramData\REINER SCT\cyberJack Base Components>icacls ctf_bdr.rsct
ctf_bdr.rsct Everyone:(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
C:\ProgramData\REINER SCT\cyberJack Base Components>icacls .
. Everyone:(OI)(IO)(F)
Everyone:(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(WD,AD,WEA,WA)
The files are “transfer files” according to the (rather pointless)
file type registration. They look encrypted. I suspect they are some
kind of firmware.
Why would anyone in their right mind set a directory full of firmware
for a smart card reader to be world writable?
The next line in the log file is this:
Executing Process <C:\Program Files (x86)\REINER SCT\cyberJack\subinacl.exe> with </keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\Readers" /grant="S-1-5-19"=F>
NT AUTHORITY\LOCAL SERVICE. Probably also not a good idea; I think
this is left from before there were virtual service
accounts.
Time to ask the company.
Komposita
- Weichenlaufkettensperrmelder
Hidden knowledge
How to remove a systemwide installation of Fusion 360
"Fusion 360 Client Downloader.exe" --globalinstall -p uninstall
QA, setzen, sechs.
Ach du lieber Deutschlandfunk.
Fall
1:
»Jetzt muss Sessions gehen. Nachfolger wird aber nicht sein
Stellvertreter, sondern Trumps Stabschef Matthew Whitaker.« Äh, nein,
Whitaker ist/war nicht Trumps Stabschef, sondern
Sessions’.
Fall
2:
»Was man auch erzählen muss, weil es vermutlich bei der Geschichte
eine Rolle spielt: die Bahira-Mitarbeiterin, die das Erlebnis hatte,
ist nicht irgendwer. Das ist Pinar Cetin, die Ehefrau, des früheren
Moscheevorsitzenden Ender Cetin, der im Dezember 2016 überraschend aus
diesem Amt entfernt wurde. Auch sie selbst war in der Moschee und bei
Ditib schon in wichtigen Ämtern bekleidet.« Wieso, sind Frauen in
Moscheen und bei Ditib normalerweise unbekleidet?