[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] "long" filenames mishandled by Fujitsu's ScanSnap software
Fujitsu's ScanSnap software installers WinSSInstiX500WW1.exe
and WinSSInstS1100iWW1.exe, available from
execute C:\Program.exe multiple times near the end of the
I'm VERY confident that the installers for other scanner models
show the same vulnerability.
Culprit is the program SSInst.exe, which fails to quote the command
C:\Program Files\PFU\ScanSnap\SSFolder\SSFolderTray.exe /e /u
C:\Program Files\PFU\ScanSnap\Driver\SsWizard\PfuSsConnectionWizard.exe /ini
C:\Program Files\PFU\ScanSnap\Driver\SsWifiTool\PfuSsWiFiToolStart.exe /s
C:\Program Files\PFU\ScanSnap\Driver\SsWizard\PfuSsConnectionWizard.exe /SSType
properly; since SSInst.exe runs with administrative privileges,
C:\Program.exe is executed with administrative privileges too.
For this well-known and well-documented beginner's error see
<https://cwe.mitre.org/data/definitions/428.html> as well as
JFTR: Microsoft introduced "long" filenames more that 20 years ago.
Stay away from the crapware shipped with Fujitsu's scanners!
2017-01-28 vulnerability report sent to vendor
no reply, not even an acknowledgement of receipt
2017-02-05 vulnerability report resent to vendor
2017-02-06 vendor hotline forwards report to product team,
asking for support
2017-02-08 mail from vendor's technical support, subject
"Your Request from 08.02.2017"
"Unfortunately this request can not be processed via
2017-02-09 which request?
I did not send a request on 2017-02-08
2017-02-10 mail from vendor's technical support, subject
"Your Request from 10.02.2017"
"Sorry, this was a mistake from me.
You get info about the security alert on Monday or
Tuesday next weak."
2017-02-14 status request sent to vendor:
"Tuesday has passed..."
2017-02-16 mail from vendor's technical support, subject
"Your Request from 16.02.2017"
"Unfortunately we can really not help in this case.
Try to contact ... support team"
No, I don't run around in circles!
I contacted them already.
2017-02-16 report published
Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/