1. Advisory Information

Title: Intel Driver Update Utility MiTM
Advisory ID: CORE-2016-0001
Advisory URL: http://www.coresecurity.com/advisories/intel-driver-update-utility-mitm
Date published: 2016-01-19
Date of last update: 2016-01-14
Vendors contacted: Intel
Release mode: Coordinated release

2. Vulnerability Information

Class: Cleartext Transmission of Sensitive Information [CWE-319]
Impact: Information leak
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2016-1493



3. Vulnerability Description

The Intel Driver Update Utility [1] is a tool that analyzes the system drivers on your computer. The utility reports if any new drivers are available, and provides the download files for the driver updates so you can install them quickly and easily.

Intel [2] Driver Update Utility is prone to a Men in The Middle attack which could result in integrity corruption of the transferred data, information leak and consequently code execution.

4. Vulnerable Packages

Intel Driver Update Utility 2.2.0.5
Other products and versions might be affected too, but they were not tested.

5. Vendor Information, Solutions and Workarounds

Intel released a new version of Intel Driver Update Utility [3] that solves the issue.

6. Credits

This vulnerability was discovered and researched by a member from Core Security Research Team. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from Core Security Advisories Team.



7. Technical Description / Proof of Concept Code

7.1. Clear text Transmission of Update Information

[CVE-2016-1493] Once the application starts searching for driver updates many HTTP requests like the one below can be seen:

 
GET http://storefront.download.protexis.net/IDDAPI/Prod/productfamily/desktopboard/driver/getbyhardwaresignature/ven_8086&dev_010a/a08/190.xml HTTP/1.1
Host: storefront.download.protexis.net
       
The URL path of the HTTP requests is easy to understand, the hardware ID is part of the path. This ID can be found on the device manager. In the XML file that is received from the server, there's a tag 'File_Url' that has the URL of the file that is going to be downloaded and executed by the application.

 
<?xml version="1.0" encoding="utf-8"?>
<Drivers xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://tempuri.org/GetDrivers.xsd">
  <Driver>
    <Driver_ID>24696</Driver_ID>
    <Type>Graphics</Type>
    <Status>Active</Status>
    <Release_Date>2015-02-04</Release_Date>
    <Version>15.28.23.64.4101</Version>
    <File_Name>win64_152823.zip</File_Name>
    <File_Url>http://downloadmirror.intel.com/24696/a08/win64_152823.zip</File_Url>
    <HardwareSignature>VEN_8086&DEV_010A</HardwareSignature>
    <IsComponent>true</IsComponent>
    <Languages>
      <Language>
        <Language_Code>en</Language_Code>
        <Driver_Name>Intel® HD Graphics Driver for Windows* 7/8/8.1 64-bit</Driver_Name>
        <Driver_Details>Installs the Intel® HD Graphics Driver for Windows* 7/8/8.1 64-bit version 15.28.23.64.4101 (9.17.10.4101)</Driver_Details>
      </Language>
    </Languages>
    <Installer_Result_Key>SOFTWARE\Intel\GFX</Installer_Result_Key>
    <Installer_Version_Key>SOFTWARE\Intel\GFX</Installer_Version_Key>
    <Installer_Reboot_Flag>deferred</Installer_Reboot_Flag>
    <Installer_Cmd_Line>-s -overwrite</Installer_Cmd_Line>
  </Driver>
</Drivers>
       
Once the application ends the search process, it shows the user the available drivers updates. After downloading the drivers the user clicks on the 'Install' button and the binaries are executed. The only verification founded was on the VerifyDownloadURL method of the DriverManager class. This is doing a domain verification, that can be easily bypassed if the attacker is performing an ARP poisoning attack combined with DNS spoofing.



8. Report Timeline

2015-11-12: Core Security sent an initial notification to Intel.
2015-11-26: Core Security sent another notification to Intel asking for a reply.
2015-12-14: Core Security sent a notification to Intel's Product Manager of their Update Utility.
2015-12-14: Intel requested Core Security for a draft copy of the advisory.
2015-12-15: Core Security asked Intel if they wanted to keep an encrypted communication or not.
2015-12-16: Intel requested Core Security to send the draft copy of the advisory in plain text.
2015-12-16: Core Security sent Intel a draft version of the advisory and requested a tentative date for releasing an update/fix.
2015-12-16: Intel informed Core Security that they were evaluating the report and that they would respond by the end of the week.
2015-12-18: Intel informed Core Security that they were testing a new version of the utility that should mitigate the vulnerability and that it would be available in mid-January.
2016-01-04: Core Security requested Intel the date and time they were going to publish the new version of the product.
2016-01-05: Intel informed Core Security that they were working towards a release on January 15.
2016-01-08: Core Security requested Intel if they were willing to consider to change the publication date from Friday 15 to Monday 18 of January in order to avoid the proximity to the weekend.
2016-01-08: Intel informed Core Security that they agreed on publishing on Monday 18 of January.
2016-01-08: Intel informed Core Security that they forgot that January 18 was a holiday in the United States, so they would be aiming to release it on Tuesday, January 19.
2016-01-11: Core Security informed Intel that we agreed to release it on Tuesday, January 19.
2016-01-19: Advisory CORE-2016-0001 published.
9. References

[1] https://downloadcenter.intel.com/. 
[2] http://www.intel.com. 
[3] http://www.intel.com/content/www/us/en/support/detect.html. 

10. About CoreLabs

CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.

11. About Core Security Technologies

Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.

Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.

12. Disclaimer

The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

13. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.