OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Security issue with Compaq Easy Access Keyboard software
From: Brad McArdle (bmcardleROCKTENN.COM)
Date: Thu Oct 12 2000 - 08:36:40 CDT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Compaq's Easy Access Keyboard software version 1.3 contains a bug
which could allow a privilege escalation on the local machine or
domain. I have confirmed the bug running the Easy Access Keyboard
software on Windows 2000 Professional SP1, but I suspect any service
pack level of NT or Win2K would be affected.

The Easy Access Keyboard software is used to provide the
functionality of the custom buttons on the keyboards that ship with
their iPaq desktops. The default for most of the buttons is to
launch the default browser and load a specified web site. However,
due to a bug in the software, these custom keys function even if the
NT/Win2K workstation is locked via Ctrl-Alt-Del, Lock Workstation.
This can be demonstrated by closing all application, locking the
workstation, pressing one of the custom buttons, and unlocking the
workstation. You will find a browser process has been launched, even
though the workstation was locked when you pressed the button.

To add to the problem, the function of these buttons can be modified
by a malicious user via network share. Modifying the file \program
files\compaq\easy access keyboard\global.kmp changes the function of
the custom buttons. Thus, it would be possible for an administrator
of the local machine to compromise the machine remotely. Since the
software runs under the context of the interactive user, this would
provide a privilege escalation possibility if the interactive user is
a domain admin. I have confirmed that this is possible, but I won't
bore you with the details. Feel free to email me if you would like
more info.

Compaq has fixed the problem in version 1.5.1, which can be
downloaded at:

http://www.compaq.com/support/files/desktops/us/download/9068.html

- --Brad McArdle

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.3

iQA/AwUBOeW+MYy5tOGObQBPEQLwHwCg5NeFqCxI8nhhji4OAA2XApRaUBwAoLiP
zjFrKWHNMSUuF85c3t73c2xs
=H14B
-----END PGP SIGNATURE-----