[FD] "long" filenames mishandled by Fujitsu's ScanSnap software

Thu, 16 Feb 2017 07:56:56 -0800 

Hi @ll,

Fujitsu's ScanSnap software installers WinSSInstiX500WW1.exe
and WinSSInstS1100iWW1.exe, available from
<http://www.fujitsu.com/global/support/products/computing/peripheral/scanners/scansnap/software/ix500w-installer.html>
and
<http://www.fujitsu.com/global/support/products/computing/peripheral/scanners/scansnap/software/s1100i.html>,
execute C:\Program.exe multiple times near the end of the
installation process.
I'm VERY confident that the installers for other scanner models
show the same vulnerability.

Culprit is the program SSInst.exe, which fails to quote the command
lines
    C:\Program Files\PFU\ScanSnap\SSFolder\SSFolderTray.exe  /e /u
    C:\Program Files\PFU\ScanSnap\Driver\SsWizard\PfuSsConnectionWizard.exe  
/ini
    C:\Program Files\PFU\ScanSnap\Driver\SsWifiTool\PfuSsWiFiToolStart.exe  /s
    C:\Program Files\PFU\ScanSnap\Driver\SsWizard\PfuSsConnectionWizard.exe  
/SSType
properly; since SSInst.exe runs with administrative privileges,
C:\Program.exe is executed with administrative privileges too.

For this well-known and well-documented beginner's error see
<https://cwe.mitre.org/data/definitions/428.html> as well as
<https://msdn.microsoft.com/en-us/library/ms682425.aspx#Security_Remarks>

JFTR: Microsoft introduced "long" filenames more that 20 years ago.

Stay away from the crapware shipped with Fujitsu's scanners!


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2017-01-28    vulnerability report sent to vendor

              no reply, not even an acknowledgement of receipt

2017-02-05    vulnerability report resent to vendor

2017-02-06    vendor hotline forwards report to product team,
              asking for support

2017-02-08    mail from vendor's technical support, subject
              "Your Request from 08.02.2017"

              "Unfortunately this request can not be processed via
               this mailadress."

2017-02-09    which request?
              I did not send a request on 2017-02-08

2017-02-10    mail from vendor's technical support, subject
              "Your Request from 10.02.2017"

              "Sorry, this was a mistake from me.
               You get info about the security alert on Monday or
               Tuesday next weak."

2017-02-14    status request sent to vendor:
              "Tuesday has passed..."

2017-02-16    mail from vendor's technical support, subject
              "Your Request from 16.02.2017"

              "Unfortunately we can really not help in this case.
               Try to contact ... support team"

              No, I don't run around in circles!
              I contacted them already.

2017-02-16    report published

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Reply via email to