Donnerstag, 15. August 2019

tenpaycert.exe – Dubious WeChat Pay browser plugin with possible local server component TenpayServer.exe

(This article is posted in English because I have a gut feeling this information is relevant to the global Information Security Community)

If you are a merchant accepting WeChat Pay payments from your customers, WeChat Pay seems to offer you a web-based administration interface which you can access with the following URL:

pay.weixin.qq.com/index.php/public/wechatpay/home

I recently got notified that a merchant seems not to be able to log into this interface using proper credentials. Instead, the following error message is presented to him:

Such as password entry exception, please follow the guidelines to modify the browser configuration, see guidelines.

The guidelines do explain that to access the web interface, the user needs to install a browser plugin:

After you enter your merchant ID, you will be prompted to download and install the security controls. Click the box outlined in red in the image below.

It is called „tenpaycert.exe“ and can be downloaded from the following URL:

www.tenpay.com/download/tenpaycert.exe

The file is 16607016 bytes in size (ca. 15MB) and at the time of writing the file hash (MD5) was 5ae039d22906733d19ef21b17aca5539.

The exe file is a Win32 executable …

$ file tenpaycert.exe 
tenpaycert.exe: PE32 executable (GUI) Intel 80386, for MS Windows

… and with a closer analysis is actually a self-extracting ZIP archive. On macOS, I used Keka – the macOS file archiver to extract its contents into its original folder structure. The archive contains the following content:

$ tree -a
.
├── .data
├── .rdata
├── .reloc
├── .rsrc
│   ├── 1033
│   │   └── MANIFEST
│   │       └── 1
│   └── 2052
│       ├── ACCELERATOR
│       │   └── 109
│       ├── BITMAP
│       │   ├── 131.bmp
│       │   ├── 152.bmp
│       │   ├── 153.bmp
│       │   ├── 154.bmp
│       │   ├── 155.bmp
│       │   ├── 157.bmp
│       │   ├── 2001.bmp
│       │   ├── 2002.bmp
│       │   ├── 2003.bmp
│       │   ├── 2004.bmp
│       │   ├── 2005.bmp
│       │   ├── 2006.bmp
│       │   ├── 2007.bmp
│       │   ├── 2008.bmp
│       │   ├── 2009.bmp
│       │   ├── 2010.bmp
│       │   ├── 2011.bmp
│       │   └── 2012.bmp
│       ├── DIALOG
│       │   ├── 1001
│       │   ├── 148
│       │   ├── 149
│       │   ├── 150
│       │   └── 151
│       ├── GROUP_ICON
│       │   ├── 107
│       │   └── 108
│       ├── ICON
│       │   ├── 1.ico
│       │   ├── 10.ico
│       │   ├── 11.ico
│       │   ├── 12.ico
│       │   ├── 2.ico
│       │   ├── 3.ico
│       │   ├── 4.ico
│       │   ├── 5.ico
│       │   ├── 6.ico
│       │   ├── 7.ico
│       │   ├── 8.ico
│       │   └── 9.ico
│       ├── MSI
│       │   ├── 146
│       │   └── 147
│       ├── PNG
│       │   ├── 133
│       │   ├── 134
│       │   ├── 161
│       │   ├── 163
│       │   ├── 165
│       │   ├── 166
│       │   ├── 2022
│       │   ├── 2024
│       │   ├── 2025
│       │   ├── 2026
│       │   └── 2027
│       ├── string.txt
│       └── version.txt
├── .rsrc_1
├── .text
└── CERTIFICATE

Software

According to the file at .rscr > 2052 > version.txt, the official name of this software is „Tenpay Security Control“ and the current version number is 2.0.3.0

Certificate

The file CERTIFICATE (256296 bytes) in the root of the archive is interesting, but seems not to be a standardized format which file recognizes:

$ file CERTIFICATE 
CERTIFICATE: data

The timestamp of the file dates July 12, 2017 — seems to be a rather old certificate, assuming most of them do expire in two years max, nowadays.

Looking at it with the command strings and a Hex Editor (on macOS, I use Hex Fiend) reveals that at the very end of the file we can actually find strings which point to one or more embedded certificates:

Symantec Corporation1
Symantec Trust Network100.
Symantec Class 3 SHA256 Code Signing CA0
160128000000Z
190328235959Z0
Guangdong1
Shenzhen1503
Tencent Technology(Shenzhen) Company Limited1
Tencent Technology(Shenzhen) Company Limited0
http://sv.symcb.com/sv.crl0a
https://d.symcb.com/cps0%
https://d.symcb.com/rpa0
http://sv.symcd.com0&
http://sv.symcb.com/sv.crt0
VeriSign, Inc.1
VeriSign Trust Network1:08
1(c) 2006 VeriSign, Inc. - For authorized use only1E0C
VeriSign Class 3 Public Primary Certification Authority - G50
131210000000Z
231209235959Z0
Symantec Corporation1
Symantec Trust Network100.
'Symantec Class 3 SHA256 Code Signing CA0
http://s2.symcb.com0
http://www.symauth.com/cps0(
http://www.symauth.com/rpa00
http://s1.symcb.com/pca3-g5.crl0
SymantecPKI-1-5670
Washington1
Redmond1
Microsoft Corporation1)0'
Microsoft Code Verification Root0
110222192517Z
210222193517Z0
VeriSign, Inc.1
VeriSign Trust Network1:08
1(c) 2006 VeriSign, Inc. - For authorized use only1E0C
VeriSign Class 3 Public Primary Certification Authority - G50
http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
Symantec Corporation1
Symantec Trust Network100.
Symantec Class 3 SHA256 Code Signing CA
20170712011507Z0
Symantec Corporation1
Symantec Trust Network110/
Symantec SHA256 TimeStamping Signer - G2
VeriSign, Inc.1
VeriSign Trust Network1:08
(c) 2008 VeriSign, Inc. - For authorized use only1806
/VeriSign Universal Root Certification Authority0
160112000000Z
310111235959Z0w1
Symantec Corporation1
Symantec Trust Network1(0&
Symantec SHA256 TimeStamping CA0
https://d.symcb.com/cps0%
https://d.symcb.com/rpa0.
http://s.symcd.com06
%http://s.symcb.com/universal-root.crl0
TimeStamp-2048-30
Symantec Corporation1
Symantec Trust Network1(0&
Symantec SHA256 TimeStamping CA0
170102000000Z
280401235959Z0
Symantec Corporation1
Symantec Trust Network110/
(Symantec SHA256 TimeStamping Signer - G20
https://d.symcb.com/cps0%
https://d.symcb.com/rpa0@
/http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
http://ts-ocsp.ws.symantec.com0;
http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
TimeStamp-2048-50
Symantec Corporation1
Symantec Trust Network1(0&
Symantec SHA256 TimeStamping CA

Hasn’t the Symantec CA fallen in disgrace after some … hickups? Are we talking about the same CA here? I don’t know.

Microsoft Installer MSI Files

Size-wise, the contents of the folder .rscr > 2052 > MSI is the most interesting part of the executable — it contains two files without extension which are 7529143 and 8019860 bytes in size respectively, making up 99 percent of the whole .exe archive.

Copying the original files and manually adding the extension .7z to it allows one to also unzip the contents with The Unarchiver.

It turns out that this might be the browser plugins for at least two different browser platforms (maybe Chrome and Internet Explorer?), hinted at by the folder name pnacl.plugins (NaCl and PNaCl).

The PNG image with the path .rscr > 2052 > PNG > 166 hints at the Windows browsers able to run the plugin:

image-8488

146.msi

$ ls -l
total 5736
-rw-r--r--@ 1 mario  staff  388216 12 Jul  2017 QQCertBroker.exe
-rw-r--r--@ 1 mario  staff   56032 13 Jan  2015 QQEditBroker.exe
-rw-r--r--@ 1 mario  staff  373136 12 Jul  2017 TenpayServer.exe
-rw-r--r--@ 1 mario  staff    3746 15 Sep  2014 Whatsnew.txt
-rw-r--r--@ 1 mario  staff   69056 24 Mai  2017 XP.sys
-rw-r--r--@ 1 mario  staff   80800 24 Mai  2017 XP_64.sys
-rw-r--r--@ 1 mario  staff  119168 12 Jul  2017 npqqcert.dll
-rw-r--r--@ 1 mario  staff  243728 12 Jul  2017 npqqedit.dll
drwxr-xr-x@ 3 mario  staff     102  9 Okt  2015 pnacl.plugins
-rw-r--r--@ 1 mario  staff  168400 12 Jul  2017 qqcert.dll
-rw-r--r--@ 1 mario  staff  200144 12 Jul  2017 qqcert64.dll
-rw-r--r--@ 1 mario  staff  291792 12 Jul  2017 qqedit.dll
-rw-r--r--@ 1 mario  staff  354768 12 Jul  2017 qqedit64.dll
-rw-r--r--@ 1 mario  staff   82474 21 Jul  2014 tenpay.ico
-rw-r--r--@ 1 mario  staff  477608 22 Sep  2016 uninstall.exe

147.msi

$ ls -l
total 14040
-rw-r--r--@ 1 mario  staff      466 21 Jul  2014 Microsoft.VC90.ATL.manifest
-rw-r--r--@ 1 mario  staff      532 21 Jul  2014 Microsoft.VC90.DebugCRT.manifest
-rw-r--r--@ 1 mario  staff   915648 12 Apr  2016 QQCertBroker.exe
-rw-r--r--@ 1 mario  staff   886616 12 Apr  2016 TenpayServer.exe
-rw-r--r--@ 1 mario  staff     3746 15 Sep  2014 Whatsnew.txt
-rw-r--r--@ 1 mario  staff    70712 12 Apr  2016 XP.sys
-rw-r--r--@ 1 mario  staff    81944 12 Apr  2016 XP_64.sys
-rw-r--r--@ 1 mario  staff   161784 21 Jul  2014 atl90.dll
-rw-r--r--@ 1 mario  staff   868864 21 Jul  2014 msvcp90d.dll
-rw-r--r--@ 1 mario  staff  1180672 21 Jul  2014 msvcr90d.dll
-rw-r--r--@ 1 mario  staff   157208 12 Apr  2016 npqqcert.dll
-rw-r--r--@ 1 mario  staff   301128 12 Apr  2016 npqqedit.dll
drwxr-xr-x@ 3 mario  staff      102  9 Okt  2015 pnacl.plugins
-rw-r--r--@ 1 mario  staff   404448 12 Apr  2016 qqcert.dll
-rw-r--r--@ 1 mario  staff   475104 12 Apr  2016 qqedit.dll
-rw-r--r--@ 1 mario  staff   605664 12 Apr  2016 qqedit64.dll
-rw-r--r--@ 1 mario  staff  1039152 22 Dez  2015 uninstall.exe

After the Zoom local web server debacle a little more than a month ago, the presence of a executable called TenpayServer.exe is very, very worrysome. Does WeChat Pay sneakily install and permanently enable a local server on the user’s computer? I hope not. Since I didn’t have a (sandboxed) Windows installation at hand, I didn’t try to install the software.

TenpayServer.exe

Running strings against TenpayServer.exe reveals some useable information. The following snippet caught my attention:

Software\Microsoft\SystemCertificates\Root\Certificates\56502166C0DE2488950491C90C7560E0E7AA7378
Blob
China
tenpay.com
CA Center
test
123456789
test1234567890

Let’s hope the last three lines are not credentials, but just some dummy information entered when prompted for some attributes. But why would any developer release such stuff in his software to the public?

The server component also contains at least two Base64 encoded certificates:

-----BEGIN CERTIFICATE-----
MIID5jCCA0+gAwIBAgIJANiV99K+FHI1MA0GCSqGSIb3DQEBBQUAMIGpMQswCQYD
VQQGEwJDTjESMBAGA1UECBMJR1VBTkdET05HMREwDwYDVQQHEwhTSEVOWkhFTjET
MBEGA1UEChMKdGVucGF5LmNvbTEdMBsGA1UECxMUVGVucGF5LmNvbSBDQSBDZW50
ZXIxGzAZBgNVBAMTElRlbnBheS5jb20gUm9vdCBDQTEiMCAGCSqGSIb3DQEJARYT
c2VydmljZUB0ZW5jZW50LmNvbTAeFw0wNzEwMzEwNzMyNTFaFw0xNzEwMjgwNzMy
NTFaMIGpMQswCQYDVQQGEwJDTjESMBAGA1UECBMJR1VBTkdET05HMREwDwYDVQQH
EwhTSEVOWkhFTjETMBEGA1UEChMKdGVucGF5LmNvbTEdMBsGA1UECxMUVGVucGF5
LmNvbSBDQSBDZW50ZXIxGzAZBgNVBAMTElRlbnBheS5jb20gUm9vdCBDQTEiMCAG
CSqGSIb3DQEJARYTc2VydmljZUB0ZW5jZW50LmNvbTCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEAk5CbjzfySm5KjW9gcgj0HJ+w1gbjT7gKGvQkO0mHfupaRi2Z
fldXAtfevbB6niurg+OdZweIq/2rWZ+vSl7s+HNhTZ1NRSTyRkBlAMYHsFHL6XjJ
L6e4ExTAbwoOfV04RSAL0I8zgMRTqErvWTK+PakAMTKfECkIxHS/qTy05s8CAwEA
AaOCARIwggEOMB0GA1UdDgQWBBQK1EN9BHzh0YAbYxmPJ+GYnNewvzCB3gYDVR0j
BIHWMIHTgBQK1EN9BHzh0YAbYxmPJ+GYnNewv6GBr6SBrDCBqTELMAkGA1UEBhMC
Q04xEjAQBgNVBAgTCUdVQU5HRE9ORzERMA8GA1UEBxMIU0hFTlpIRU4xEzARBgNV
BAoTCnRlbnBheS5jb20xHTAbBgNVBAsTFFRlbnBheS5jb20gQ0EgQ2VudGVyMRsw
GQYDVQQDExJUZW5wYXkuY29tIFJvb3QgQ0ExIjAgBgkqhkiG9w0BCQEWE3NlcnZp
Y2VAdGVuY2VudC5jb22CCQDYlffSvhRyNTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
DQEBBQUAA4GBABs4cp8iUaZv3d2M7DOR6wTc4MVMWt2fCHS+HzG+GGJCu/G6HOGV
kXi5At9oSb4yOOhfjOg0QM7O8eGWDsN6MgYm7iUGo3OI745pHrbSiuEeOpKEfKGF
FRqHQxBSsoMPWlV7h15HvtFbxuSTb8PmRok7zUzpa8U0R+MBRi53eKlY
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEQTCCA6qgAwIBAgIDf/ElMA0GCSqGSIb3DQEBBQUAMIGpMQswCQYDVQQGEwJDTjESMBAGA1UECBMJR1VBTkdET05HMREwDwYDVQQHEwhTSEVOWkhFTjETMBEGA1UEChMKdGVucGF5LmNvbTEdMBsGA1UECxMUVGVucGF5LmNvbSBDQSBDZW50ZXIxGzAZBgNVBAMTElRlbnBheS5jb20gUm9vdCBDQTEiMCAGCSqGSIb3DQEJARYTc2VydmljZUB0ZW5jZW50LmNvbTAeFw0xMDAxMjYwODIzMzNaFw0xMTAxMjYwODIzMzNaMIHSMRMwEQYDVQQGHgoAQwBoAGkAbgBhMQ0wCwYDVQQIHgQAWABYMREwDwYDVQQHHggAdABlAHMAdDEdMBsGA1UECh4UAHQAZQBuAHAAYQB5AC4AYwBvAG0xGzAZBgNVBAseEgBDAEEAIABDAGUAbgB0AGUAcjEPMA0GA1UEAx4GeeZP3VuJMRswGQYDVQQEHhIAMQA4ADYANgAxADQAOAA4ADYxDTALBgNVBCoeBABYAFgxDTALBgNVBAweBABYAFgxETAPBgkqhkiG9w0BCQEWAlhYMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC83a5EE8BOMSLSZDkDi0cCnfgEunH4aYCKiTITrk8lswWrVn+/zg6RyNqqdnZDsJML0tfkJRc/TQpRZ8MFwrtB3sg3Ybve3voj+9DE/+oSedJhQ5jAyLk0EAJ9kCWEzNrRlVSwYZrIvUCvzUGyry3GKLGmkuIuqUjLVIWWIPTLgQIDAQABo4IBSjCCAUYwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdIkNFUy1DQSBHZW5lcmF0ZSBDZXJ0aWZpY2F0ZSIwHQYDVR0OBBYEFAEBqnfS8keTNO0bGzp2fXgV8eVbMIHeBgNVHSMEgdYwgdOAFArUQ30EfOHRgBtjGY8n4Zic17C/oYGvpIGsMIGpMQswCQYDVQQGEwJDTjESMBAGA1UECBMJR1VBTkdET05HMREwDwYDVQQHEwhTSEVOWkhFTjETMBEGA1UEChMKdGVucGF5LmNvbTEdMBsGA1UECxMUVGVucGF5LmNvbSBDQSBDZW50ZXIxGzAZBgNVBAMTElRlbnBheS5jb20gUm9vdCBDQTEiMCAGCSqGSIb3DQEJARYTc2VydmljZUB0ZW5jZW50LmNvbYIJANiV99K+FHI1MAsGA1UdDwQEAwID6DANBgkqhkiG9w0BAQUFAAOBgQBltWSM2Rp9ETyZjEsNUHvNnxPhaSB/ErUq2O0xl18bVFA/c7TuTGcxqzerCHCkwEhAUC6m3qjjyMoJuCYyknnIOjW3ScX0ZZKj+7DlxLaiSSKyb8gXHH3CUvg4H7sle90ugEYQMOzK0apMsK6gLClEa/p1qomrRVL7Rw6cjB0dYQ==
-----END CERTIFICATE-----

In plain text these read:

$ openssl x509 -in certificate-01.txt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            d8:95:f7:d2:be:14:72:35
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, ST=GUANGDONG, L=SHENZHEN, O=tenpay.com, OU=Tenpay.com CA Center, CN=Tenpay.com Root CA/emailAddress=service@tencent.com
        Validity
            Not Before: Oct 31 07:32:51 2007 GMT
            Not After : Oct 28 07:32:51 2017 GMT
        Subject: C=CN, ST=GUANGDONG, L=SHENZHEN, O=tenpay.com, OU=Tenpay.com CA Center, CN=Tenpay.com Root CA/emailAddress=service@tencent.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:93:90:9b:8f:37:f2:4a:6e:4a:8d:6f:60:72:08:
                    f4:1c:9f:b0:d6:06:e3:4f:b8:0a:1a:f4:24:3b:49:
                    87:7e:ea:5a:46:2d:99:7e:57:57:02:d7:de:bd:b0:
                    7a:9e:2b:ab:83:e3:9d:67:07:88:ab:fd:ab:59:9f:
                    af:4a:5e:ec:f8:73:61:4d:9d:4d:45:24:f2:46:40:
                    65:00:c6:07:b0:51:cb:e9:78:c9:2f:a7:b8:13:14:
                    c0:6f:0a:0e:7d:5d:38:45:20:0b:d0:8f:33:80:c4:
                    53:a8:4a:ef:59:32:be:3d:a9:00:31:32:9f:10:29:
                    08:c4:74:bf:a9:3c:b4:e6:cf
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                0A:D4:43:7D:04:7C:E1:D1:80:1B:63:19:8F:27:E1:98:9C:D7:B0:BF
            X509v3 Authority Key Identifier: 
                keyid:0A:D4:43:7D:04:7C:E1:D1:80:1B:63:19:8F:27:E1:98:9C:D7:B0:BF
                DirName:/C=CN/ST=GUANGDONG/L=SHENZHEN/O=tenpay.com/OU=Tenpay.com CA Center/CN=Tenpay.com Root CA/emailAddress=service@tencent.com
                serial:D8:95:F7:D2:BE:14:72:35

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
         1b:38:72:9f:22:51:a6:6f:dd:dd:8c:ec:33:91:eb:04:dc:e0:
         c5:4c:5a:dd:9f:08:74:be:1f:31:be:18:62:42:bb:f1:ba:1c:
         e1:95:91:78:b9:02:df:68:49:be:32:38:e8:5f:8c:e8:34:40:
         ce:ce:f1:e1:96:0e:c3:7a:32:06:26:ee:25:06:a3:73:88:ef:
         8e:69:1e:b6:d2:8a:e1:1e:3a:92:84:7c:a1:85:15:1a:87:43:
         10:52:b2:83:0f:5a:55:7b:87:5e:47:be:d1:5b:c6:e4:93:6f:
         c3:e6:46:89:3b:cd:4c:e9:6b:c5:34:47:e3:01:46:2e:77:78:
         a9:58

… and …

$ openssl x509 -in certificate-02.txt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 8384805 (0x7ff125)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, ST=GUANGDONG, L=SHENZHEN, O=tenpay.com, OU=Tenpay.com CA Center, CN=Tenpay.com Root CA/emailAddress=service@tencent.com
        Validity
            Not Before: Jan 26 08:23:33 2010 GMT
            Not After : Jan 26 08:23:33 2011 GMT
        Subject: C=\x00C\x00h\x00i\x00n\x00a, ST=\x00X\x00X, L=\x00t\x00e\x00s\x00t, O=\x00t\x00e\x00n\x00p\x00a\x00y\x00.\x00c\x00o\x00m, OU=\x00C\x00A\x00 \x00C\x00e\x00n\x00t\x00e\x00r, CN=y\xE6O\xDD[\x89, SN=\x001\x008\x006\x006\x001\x004\x008\x008\x006, GN=\x00X\x00X/title=\x00X\x00X/emailAddress=XX
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:bc:dd:ae:44:13:c0:4e:31:22:d2:64:39:03:8b:
                    47:02:9d:f8:04:ba:71:f8:69:80:8a:89:32:13:ae:
                    4f:25:b3:05:ab:56:7f:bf:ce:0e:91:c8:da:aa:76:
                    76:43:b0:93:0b:d2:d7:e4:25:17:3f:4d:0a:51:67:
                    c3:05:c2:bb:41:de:c8:37:61:bb:de:de:fa:23:fb:
                    d0:c4:ff:ea:12:79:d2:61:43:98:c0:c8:b9:34:10:
                    02:7d:90:25:84:cc:da:d1:95:54:b0:61:9a:c8:bd:
                    40:af:cd:41:b2:af:2d:c6:28:b1:a6:92:e2:2e:a9:
                    48:cb:54:85:96:20:f4:cb:81
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                "CES-CA Generate Certificate"
            X509v3 Subject Key Identifier: 
                01:01:AA:77:D2:F2:47:93:34:ED:1B:1B:3A:76:7D:78:15:F1:E5:5B
            X509v3 Authority Key Identifier: 
                keyid:0A:D4:43:7D:04:7C:E1:D1:80:1B:63:19:8F:27:E1:98:9C:D7:B0:BF
                DirName:/C=CN/ST=GUANGDONG/L=SHENZHEN/O=tenpay.com/OU=Tenpay.com CA Center/CN=Tenpay.com Root CA/emailAddress=service@tencent.com
                serial:D8:95:F7:D2:BE:14:72:35

            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment, Key Agreement
    Signature Algorithm: sha1WithRSAEncryption
         65:b5:64:8c:d9:1a:7d:11:3c:99:8c:4b:0d:50:7b:cd:9f:13:
         e1:69:20:7f:12:b5:2a:d8:ed:31:97:5f:1b:54:50:3f:73:b4:
         ee:4c:67:31:ab:37:ab:08:70:a4:c0:48:40:50:2e:a6:de:a8:
         e3:c8:ca:09:b8:26:32:92:79:c8:3a:35:b7:49:c5:f4:65:92:
         a3:fb:b0:e5:c4:b6:a2:49:22:b2:6f:c8:17:1c:7d:c2:52:f8:
         38:1f:bb:25:7b:dd:2e:80:46:10:30:ec:ca:d1:aa:4c:b0:ae:
         a0:2c:29:44:6b:fa:75:aa:89:ab:45:52:fb:47:0e:9c:8c:1d:
         1d:61

Both certificates have expired; the first one on Oct 28 07:32:51 2017 GMT, the second on Jan 26 08:23:33 2011 GMT. Why would somebody distribute expired certificates?

Changelog

The developers of this plugin also were nice enough to even distribute a change log in the file Whatsnew.txt. Unfortunately, it is written in Chinese. Google Translate helps to translate its contents to English:

============================================

TenPay Security Control 2.0.2.6

1. Enhance the security control driver's password protection function

============================================

TenPay Security Control 2.0.2.5

1. Solve the problem that the certificate control service program is disabled, which can prevent the security software from disabling the TenPay service, causing the payment function to be blocked.

============================================

Tenpay security control 2.0.2.4

1. Fix chrome (32 or above) does not display the password control properly

============================================

TenPay Security Control 2.0.2.3

1. Optimize chrome (32 or above) and firefox (26 or above) to manually enable plugins
2. Fix the chrome when the password control appears, the right click menu clicks invalid question
3. Password control supports keyboard caps Lock when prompted to caps lock

============================================

TenPay Security Control 2.0.2.2

1. Fix "My Wallet" can't enable plugin problem
2. Fix the latest version of chrome focus confusion
3. Synchronously updated the installation package browser logo

============================================

Tenpay Security Control 2.0.2.1

1. Compatible with IE11 browser
2. Increase the synchronization protection of the keyboard driver

============================================

Tenpay security control 2.0.1.4

1. Password control officially supports 64-bit browser
2. Password control in safe mode is compatible with multiple monitors
3. Add a new functional interface to get the expiration time of the digital certificate
4. Optimize the installation package to support the installation without restarting the browser.

============================================

TenPay Security Control 2.0.1.0

1. Fix a vulnerability that can be remotely signed under win7;
2. Fix the encoding problem of Chinese signatures in non-IE kernel browsers.

============================================

TenPay Security Control 2.0.0.9

1. Increase the system taskbar security tips, the account funds intimate protection

============================================

Tenpay security control 2.0.0.7

1. Increase the compatibility of security controls and financial shields to optimize compatibility;
2. Optimize the performance of the control under the Windows 7 operating system, taking up less memory.

============================================

TenPay Security Control 2.0.0.6

1. Increase the access function of the treasury shield interface to support the use of the vouchers by ordinary users;
2. Fix the hidden danger of a button message hook security mechanism.

============================================

Tenpay security control 2.0.0.4

1. Add the merchant root certificate, and the Tenpay merchant can log in to Tenpay after installing the security control. There is no need to manually install the certificate again.
2. Added cab package for 64-bit IE to optimize support for 64-bit Windows operating system.

============================================

TenPay Security Control 2.0.0.3

1. Add the “Add to Desktop” option to make it easier and faster to access TenPay;
2. Optimize the control's response to the keyboard to make your operation smoother;
3. Further optimize browser compatibility and continuously upgrade performance.

============================================

TenPay Security Control 2.0.0.2

1. Optimize the performance of security controls;
2. Fix a compatibility issue and improve compatibility with dual-core browsers such as QQ browser.

============================================

TenPay Security Control 2.0.0.1

1. New UI design, new visual experience;
2. Optimized and upgraded control performance for a smoother operation experience;
3. Perfectly compatible with 3 browsers, Sogou browser and Firefox browser green version;
4. Increase the security and stability of the password control, strengthen security and ensure password security;
5. New process detection mechanism, the control installation is smoother.

While reading the change log, I stopped at the following bullet point:

Add the merchant root certificate, and the Tenpay merchant can log in to Tenpay after installing the security control. There is no need to manually install the certificate again.

Does the software also install an additional root certificate on the local computer? Is this a system-wide installation, or user-specific — or even only restricted to the browser? Can this root certificate be trusted, especially that the name Symantec appears in the certificate file?

Questions after questions.

Preliminary Conclusion

This plugin looks dubious to me, and if I was an attacker, I would try to figure out if I could somehow take over browsers running this plugin.

A quick Google Search for tenpaycert.exe and for TenpayServer.exe showed me that nobody ever seems to have looked at this piece of software. Maybe it’s time that Security Researchers start to do so …

Liked this post? Follow this blog to get more. 

Tags: , , , , , , , ,
Labels: Security

Kommentar erfassen