Hi @ll, Fujitsu's ScanSnap software installers WinSSInstiX500WW1.exe and WinSSInstS1100iWW1.exe, available from <http://www.fujitsu.com/global/support/products/computing/peripheral/scanners/scansnap/software/ix500w-installer.html> and <http://www.fujitsu.com/global/support/products/computing/peripheral/scanners/scansnap/software/s1100i.html>, execute C:\Program.exe multiple times near the end of the installation process. I'm VERY confident that the installers for other scanner models show the same vulnerability.
Culprit is the program SSInst.exe, which fails to quote the command lines C:\Program Files\PFU\ScanSnap\SSFolder\SSFolderTray.exe /e /u C:\Program Files\PFU\ScanSnap\Driver\SsWizard\PfuSsConnectionWizard.exe /ini C:\Program Files\PFU\ScanSnap\Driver\SsWifiTool\PfuSsWiFiToolStart.exe /s C:\Program Files\PFU\ScanSnap\Driver\SsWizard\PfuSsConnectionWizard.exe /SSType properly; since SSInst.exe runs with administrative privileges, C:\Program.exe is executed with administrative privileges too. For this well-known and well-documented beginner's error see <https://cwe.mitre.org/data/definitions/428.html> as well as <https://msdn.microsoft.com/en-us/library/ms682425.aspx#Security_Remarks> JFTR: Microsoft introduced "long" filenames more that 20 years ago. Stay away from the crapware shipped with Fujitsu's scanners! stay tuned Stefan Kanthak Timeline: ~~~~~~~~~ 2017-01-28 vulnerability report sent to vendor no reply, not even an acknowledgement of receipt 2017-02-05 vulnerability report resent to vendor 2017-02-06 vendor hotline forwards report to product team, asking for support 2017-02-08 mail from vendor's technical support, subject "Your Request from 08.02.2017" "Unfortunately this request can not be processed via this mailadress." 2017-02-09 which request? I did not send a request on 2017-02-08 2017-02-10 mail from vendor's technical support, subject "Your Request from 10.02.2017" "Sorry, this was a mistake from me. You get info about the security alert on Monday or Tuesday next weak." 2017-02-14 status request sent to vendor: "Tuesday has passed..." 2017-02-16 mail from vendor's technical support, subject "Your Request from 16.02.2017" "Unfortunately we can really not help in this case. Try to contact ... support team" No, I don't run around in circles! I contacted them already. 2017-02-16 report published _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/