not quite minimalistic enough  

S-1-1-0

From the installation log of the driver for a REINER SCT smart card reader:

Executing Process <C:\Program Files (x86)\REINER SCT\cyberJack\subinacl.exe> with </subdirectories "C:\ProgramData\REINER SCT\*" /grant="S-1-1-0"=F>

Um. Come again? S-1-1-0 is Everyone.

C:\ProgramData\REINER SCT\cyberJack Base Components>icacls ctf_bdr.rsct
ctf_bdr.rsct Everyone:(F)
             NT AUTHORITY\SYSTEM:(I)(F)
             BUILTIN\Administrators:(I)(F)
             BUILTIN\Users:(I)(RX)

C:\ProgramData\REINER SCT\cyberJack Base Components>icacls .
. Everyone:(OI)(IO)(F)
  Everyone:(CI)(F)
  NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
  BUILTIN\Administrators:(I)(OI)(CI)(F)
  CREATOR OWNER:(I)(OI)(CI)(IO)(F)
  BUILTIN\Users:(I)(OI)(CI)(RX)
  BUILTIN\Users:(I)(CI)(WD,AD,WEA,WA)

The files are “transfer files” according to the (rather pointless) file type registration. They look encrypted. I suspect they are some kind of firmware.

Why would anyone in their right mind set a directory full of firmware for a smart card reader to be world writable?

The next line in the log file is this:

Executing Process <C:\Program Files (x86)\REINER SCT\cyberJack\subinacl.exe> with </keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\Readers" /grant="S-1-5-19"=F>

NT AUTHORITY\LOCAL SERVICE. Probably also not a good idea; I think this is left from before there were virtual service accounts.

Time to ask the company.

Written on November 13, 2018