From: Richard M. Smith [rms@PHARLAP.COM]
Sent: Wednesday, July 28, 1999 6:33 PM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Update on the Compaq Presario backdoor and security hole

Hello,

I want to give an update to a message I sent earlier this
week to NTBugTraq on the backdoor that I found on a new
Windows 98 Compaq Presario System.  This backdoor, in
combination with a Compaq-supplied Java applet, has
introduced a serious security hole in Internet Explorer 4 which
allows outsiders to execute DOS and Windows programs from
Web pages or HTML Email messages.  Once an outsider
is able to run a program on a system, all the usual bad stuff
can be done such as install a virus or trojan horse, delete
files from the hard disk, steal private information, etc.

The backdoor occurs because IE4 is configured on this Presario
system to trust all ActiveX controls and Java applets signed by
Compaq.  It appears that for my system, Compaq was
added as a trusted source at the factory.  This wouldn't be so bad by
itself, except that the Presario system also includes a signed Java applet
that has a function for running programs.  Because the
applet is signed by Compaq, it will execute with no security warnings in
IE4 on any system where Compaq is a trusted publisher.

What I found since my original message is that this applet is used
on a Compaq HTML page to link to various service options for customers.
Some these links go to Compaq Web sites,
but other links run diagnostic programs from the local hard drive.  The
Java applet is used to run these programs.  Since it
is a signed applet, it is able to do things outside of the Java sandbox
such as execute programs.  The applet appears to have no security
mechanisms built into itself so it can run any program, not just the
Compaq diagnostic programs.

The really interesting thing I found however, is the method that Compaq
uses to make itself a trusted publisher in IE4.  On the Windows
desktop there is an icon labeled "Compaq Support".  Clicking on
this icon takes you to the HTML page that I described above.  However
it gets there by a very curious route.  The icon doesn't start up
IE4 directly but instead runs a DOS batch file of all things.  The
first thing that the batch does is to feed a .REG file to REGEDIT.
This .REG file contains the appropriate settings to make Compaq
a trusted publisher in IE4.  Yikes, lowering security settings in
IE is just too darn easy!

Once the registry has been appropriately tweaked, IE4 is started
up with the services links page.

I understand from Compaq that some Presario models ship
with IE4 pre-configured with Compaq Computer Corporation
as a trusted publisher.  On other Presario models, no one
is listed as a trusted publisher.  On these models, a customer
would have to have clicked on the "Compaq Support" icon
to enable Compaq as a trusted publisher.  My understanding
is that this service icon and Java applet have shipped on most Presario
models since last fall.

I checked about 10 other Compaq laptop and desktop systems
at two different computer stores and all of them had this
vulnerability and Compaq listed as a trusted publisher.

Compaq is looking into various ways to patch the problem.
In the meantime, a simple solution to the problem is to
delete from the hard disk the .REG file that makes Compaq
a trusted publisher.  The path of the file to be deleted is:

     C:\CPQS\SERVICE\CERTREG.REG

You'll also want to remove Compaq as a trusted publisher
from IE.  Here are the steps:

   1. Start Internet Explorer 4 or 5
   2. Select the "View | Internet Options..." menu command in IE4
       or "Tools | Internet Options..." in IE5
   3. Select the "Content" tab in the "Internet Options" dialog box
   4. Push the "Publishers..." button
   5. Click on the "Compaq Computer Corporation" entry if present
   6. Push the "Remove" button.
   7. Push the "Okay" button for the "Authenticode Security
       Technology" dialog box.
   8. Push the "Okay" button for the "Internet Options" dialog box.

You'll need to remove Compaq as the trusted publisher after
deleting the .REG file.  Otherwise, clicking on the icon
will make Compaq be trusted again.

Also, I have found some similar problems with a number of ActiveX
controls that HP has been shipping with their Pavilion systems over
the last 6 to 12 months.  A write-up of these problems can be
found at:

     http://www.tiac.net/users/smiths/acctroj/index.htm

Richard M Smith