POSReady 7 – What is it?
POSReady 7 is a version of Windows 7 Embedded that is optimized for point-of-services solutions. It has a number of modified features compared to the full version of Windows 7.
You can see examples of the difference by looking the ‘Windows Features’ section of the control panel. On Windows 7, you can, for example, enable or disable dotNet 3.5.1… this is not possible on POSReady 7.
Partial Windows Update?
While updating POSReady 7, I noticed that there were missing patches for dotNet. This led me to check the file versions to see if the version of dotNet the hosts were running were vulnerable. I found that the file versions were lower than those found on patched systems.
But is it Vulnerable?
I decided that it would be best to test if dotNet is actually vulnerable. I used a simple exploit for MS11-100, specifically for CVE-2011-3415. To get this exploit to working I needed to set up a login page to test if I would get redirected after I authenticated. When I finished the login page, I tested the exploit and I was redirected to a page of my choosing.
The exploit itself relies on social engineering to trick the user into clicking on a malicious link.
- Sample Exploit: ‘http://192.168.1.175/Login.aspx?ReturnURL=http://www.google.ca \’
- Vulnerable Host: 192.168.2.175
- Redirect Destination: http://www.google.ca
What can I do?
Since you can’t uninstall dotNet on POSReady and it is vulnerable, I looked at the patches that were offered to Windows 7. It is possible to install the Windows 7 patch on a POSReady system and have the vulnerability fixed. As to why these patches are missing and not offered is a little concerning.
dotNet 4.0 and POSReady
Before I finished looking at dotNet 3.5.1, I had a feeling that there could be more going on here. I decided to install dotNet 4.0 on my POSReady 7 hosts. dotNet 4.0 looks much like dotNet 3.5.1, with vulnerable file versions and no offered patches.
- Building OS X Trojans with AppleScript, Homoglyphs and iTunes
- Vulnerability: Who is Watching Your IP Camera?
- How Risky is Google Apps for Your Business?
- Apple’s Development Center Breached by Hackers
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock