COMMAND

    Easy Access Keyboard

SYSTEMS AFFECTED

    Compaq Easy Access Keyboard 1.3

PROBLEM

    Brad  McArdle  found  following.   Compaq's  Easy  Access Keyboard
    software version 1.3 contains a bug which could allow a  privilege
    escalation  on  the  local  machine  or  domain.   This  has  been
    confirmed the  bug running  the Easy  Access Keyboard  software on
    Windows 2000 Professional SP1, but any service pack level of NT or
    Win2K would be affected.

    The  Easy  Access  Keyboard  software  is  used  to  provide   the
    functionality of  the custom  buttons on  the keyboards  that ship
    with their iPaq desktops.  The default for most of the buttons  is
    to  launch  the  default  browser  and  load a specified web site.
    However, due to a bug in the software, these custom keys  function
    even if the NT/Win2K workstation is locked via Ctrl-Alt-Del,  Lock
    Workstation.  This can be demonstrated by closing all application,
    locking the workstation, pressing  one of the custom  buttons, and
    unlocking the workstation.   You will find  a browser process  has
    been launched,  even though  the workstation  was locked  when you
    pressed the button.

    To  add  to  the  problem,  the  function  of these buttons can be
    modified by  a malicious  user via  network share.   Modifying the
    file   \program   files\compaq\easy   access   keyboard\global.kmp
    changes the  function of  the custom  buttons.   Thus, it would be
    possible for an administrator  of the local machine  to compromise
    the machine remotely.  Since  the software runs under the  context
    of the interactive user, this would provide a privilege escalation
    possibility if  the interactive  user is  a domain  admin.  It has
    been confirmed that this is  possible, but we won't bore  you with
    the details.

SOLUTION

    Compaq  has  fixed  the  problem  in  version  1.5.1, which can be
    downloaded at:

        http://www.compaq.com/support/files/desktops/us/download/9068.html