exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Intel SSD Toolbox 3.4.3 DLL Hijacking

Intel SSD Toolbox 3.4.3 DLL Hijacking
Posted May 31, 2017
Authored by Stefan Kanthak

Intel SSD Toolbox version 3.4.3 suffers from a dll hijacking vulnerability.

tags | exploit
systems | windows
SHA-256 | bca118f21515d6e1ab924c929e6631ec6f06fdcdc4033d6b440b013abd6b8660

Intel SSD Toolbox 3.4.3 DLL Hijacking

Change Mirror Download
Hi @ll,

executable installers built with Intels Installation Framework,
for example "Intel SSD Toolbox - v3.4.3.exe", available from
<https://downloadcenter.intel.com/download/26574>, expose two
vulnerabilities, both resulting in arbitrary code execution
with escalation of privilege.

Vulnerability #1:
~~~~~~~~~~~~~~~~~

On a fully patched Windows 7 SP1 they load and execute (at least)
Cabinet.dll, Version.dll, RichEd20.dll, UXTheme.dll or DMWAPI.dll
(on other versions of Windows different DLLs may be affected)
from the directory they are stored (their so-called "application
directory") instead Windows' "system directory"
%SystemRoot%\System32\", resulting in arbitrary code execution.

DLL hijacking is a 20 year old, well-known and well-documented
vulnerability, and a typical (but ubiquituous) beginner's error:
see <https://cwe.mitre.org/data/definitions/426.html>,
<https://cwe.mitre.org/data/definitions/427.html>,
<https://capec.mitre.org/data/definitions/471.html>,
<https://technet.microsoft.com/en-us/library/2269637.aspx>,
<https://msdn.microsoft.com/en-us/library/ff919712.aspx> and
<https://msdn.microsoft.com/en-us/library/ms682586.aspx> plus
<https://skanthak.homepage.t-online.de/!execute.html> for more
documentation!

For software downloaded with a web browser the "application
directory" is typically the user's "Downloads" directory: see
<http://seclists.org/fulldisclosure/2015/Nov/101> and
<http://seclists.org/fulldisclosure/2015/Dec/86> plus
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>,
<http://seclists.org/fulldisclosure/2012/Aug/134> and
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>

Due to the specification "requireAdministrator" in the application
manifest embedded within the executable, installers like
"Intel SSD Toolbox - v3.4.3.exe" run with administrative privileges
("protected" administrators are prompted for consent, unprivileged
standard users are prompted for an administrator password),
resulting in an escalation of privilege!

If (one of) the DLLs named above get(s) planted in the users
"Downloads" directory, for example per "drive-by download", this
vulnerability becomes a remote code execution WITH escalation of
privilege.


Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. visit <https://skanthak.homepage.t-online.de/sentinel.html>,
download
<https://skanthak.homepage.t-online.de/skanthak/download/SENTINEL.DLL>
and save it as Cabinet.dll in your "Downloads" directory, then
copy it as Version.dll, RichEd20.dll, UXTheme.dll and DWMAPI.dll;

2. visit <https://downloadcenter.intel.com/download/26574>, download
<https://downloadmirror.intel.com/26574/eng/Intel%20SSD%20Toolbox%20-%20v3.4.3.exe>
and save it in your "Downloads" directory;

3. execute "Intel SSD Toolbox - v3.4.3.exe" from your "Downloads"
directory;

4. notice the message boxes displayed from the DLLs placed in
step 1: PWNED!


Mitigation & detection:
~~~~~~~~~~~~~~~~~~~~~~~

* NEVER run executable installers from your "Downloads" directory;

* dump/avoid executable installers, use *.MSI instead!

* see <https://skanthak.homepage.t-online.de/!execute.html> plus
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>

* also see <https://skanthak.homepage.t-online.de/verifier.html>


Vulnerability #2:
~~~~~~~~~~~~~~~~~

On EVERY version of Windows these installers create UNSAFE
(sub)directories "%TEMP%\IIF<abcd>.tmp\", "%TEMP%\IIF<abcd>.tmp\Lang\"
and "%TEMP%\IIF<abcd>.tmp\Lang\<ll>-<CC>\", extract some dozen
DLLs "%TEMP%\IIF<abcd>.tmp\Lang\<ll>-<CC>\setup.exe.dll" and load
ALL of them with administrative privileges.

An unprivileged attacker^Wuser can replace these DLLs between their
creation and their use, again resulting in elevation of privilege.

See <https://cwe.mitre.org/data/definitions/377.html> and
<https://cwe.mitre.org/data/definitions/379.html> for this
well-known and well-documented vulnerability.


Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. visit <https://skanthak.homepage.t-online.de/sentinel.html>,
then download
<https://skanthak.homepage.t-online.de/skanthak/download/SENTINEL.DLL>
and save it in an arbitrary directory;

2. save the following batch script in the same directory:

--- IIF.CMD ---
:WAIT
@If Not Exist "%TEMP%\IIF????.tmp" Goto :WAIT
For /D %%! In ("%TEMP%\IIF????.tmp") Do Set IIFTMP=%%!
For /R "%IIFTMP%" %%! In (setup.exe.dll) Do Copy SENTINEL.DLL "%%!"
Set IIFTMP=
--- EOF ---

3. start the batch script;

4. execute "Intel SSD Toolbox - v3.4.3.exe".


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2017-03-06 vulnerability report sent to vendor

2017-03-06 automatic reply "we received your report"

2017-03-06 reply from vendor:
"We will escalate this to the appropriate team and get
back to you in the next couple of days."

2017-03-14 followup from vendor:
"Our technical team has confirmed the finding and an
update is being created."

2017-03-15 question sent to vendor:
"Will all executable installers built with the
vulnerable IIF be fixed, or just the one I picked?"

2017-03-15 reply from vendor:
"We are getting an update from the product team this
week and will relay your concerns."

2017-04-21 notication from vendor:
"due to an unrelated problem we are delaying release
until the week of May 22. I can provide you with a
build that has the DLL hijacking fixed if you'd like."

2017-04-21 answer to vendor: "yes, I'd like to test it!"

2017-05-04 reply from vendor:
"we produced an official build (not beta) toward the
May 22 release, and we are very interested for you to
put it through your 'minefield'"

2017-05-05 notication from vendor:
"fixed installer for the SSD toolbox available from
<https://downloadcenter.intel.com/product/80096/Intel-SSD-Toolbox>
and
<https://downloadcenter.intel.com/product/80095/SSD-Software>"

2017-05-11 resent question from 2017-03-15 to vendor:
"Will all executable installers built with the
vulnerable IIF be fixed, or just the one I picked?"

2017-05-30 vendor publishes advisory INTEL-SA-00074
<https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00074&languageid=en-fr>
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close