exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Intel Processor Identification Utility 6.0.0211 Privilege Escalation

Intel Processor Identification Utility 6.0.0211 Privilege Escalation
Posted Jan 31, 2020
Authored by Stefan Kanthak

Intel Processor Identification Utility version 6.0.0211 suffers from a local privilege escalation vulnerability.

tags | exploit, local
SHA-256 | 18b5a81e1da4cff60545121275526325503d467e4282f7ffac69136bae2a23cd

Intel Processor Identification Utility 6.0.0211 Privilege Escalation

Change Mirror Download
Hi @ll,

Intel® Processor Identification Utility - Windows* Version,
version 6.0.0211 from 2019-02-11, available from
<https://downloadmirror.intel.com/28539/a08/Intel(R)%20Processor%20Identification%20Utility.exe>
via <https://downloadcenter.intel.com/download/28539>, and
earlier versions 6.0.* are vulnerable: in default installations
of all supported versions of Windows (really: Windows Vista and
later), they allows arbitrary code execution WITH escalation of
privilege via two INDEPENDENT attack vectors; additionally they
suffer from a denial of service.

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CVSS 3 Score: 8.2 (High)


Vulnerability #1:
=================

Arbitrary code execution with escalation of privilege

Reason:
~~~~~~~

Use of ShellExecute() to run a batch script, i.e. use of file
association .bat: ShellExecute() reads the registry key
HKEY_CLASSES_ROOT to determine
1. the file type associated with any given file extension
(here: .bat), and
2. the command line associated with the file type (here:
batfile).
HKEY_CLASSES_ROOT is a virtual registry key, built from the
overlay of HKEY_LOCAL_MACHINE\SOFTWARE\Classes with
HKEY_CURRENT_USER\Software\Classes, i.e. the latter taking
precedence over the former.
HKEY_CURRENT_USER is under full control of the unprivileged
user who can hijack both the association of batfile to .bat
and the command lines associated with the verbs registered
for batfile.

Fix:
~~~~

Don't use ShellExecute() when running elevated, use
CreateProcess("C:\\Windows\\System32\\cmd.exe", "cmd.exe /C Call path\\filename.bat", ...)
instead!

Demonstration/Proof of concept:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. Log on with the user account created during Windows setup;

2. Download
<https://skanthak.homepage.t-online.de/download/SENTINEL.EXE>
and save it in an arbitrary directory;

3. Open a command prompt in the directory where you saved
SENTINEL.EXE and run the following command line:
REG.EXE ADD "HKEY_CURRENT_USER\Software\Classes\batfile\Shell\Open\Command" /VE /T REG_SZ /D "%CD%\SENTINEL.EXE" /F

4. Download
<https://downloadmirror.intel.com/28539/a08/Intel(R)%20Processor%20Identification%20Utility.exe>
and save it in an arbitrary directory;

5. Execute the just downloaded installation program
"Intel(R) Processor Identification Utility.exe"
and answer the prompts: upon completion, notice the
message box titled "Vulnerability and Exploit Detector",
displayed by SENTINEL.EXE running elevated!


Vulnerability #2:
=================

Arbitrary code execution with escalation of privilege

Reason:
~~~~~~~

UNSAFE %TEMP% directory used for 77+ files extracted from
both the executable installation program
"Intel(R) Processor Identification Utility.exe" and the
extracted MSI installer %TEMP%\AIE*.tmp, plus unqualified
filename ATTRIB used in the script %TEMP%\EXE*.tmp.bat

See <https://cwe.mitre.org/data/definitions/377.html>,
<https://cwe.mitre.org/data/definitions/378.html> and
<https://cwe.mitre.org/data/definitions/379.html>, plus
<https://cwe.mitre.org/data/definitions/426.html> and
<https://cwe.mitre.org/data/definitions/427.html>

1. In the user account created during Windows setup, any
process running unprivileged has FULL access to %TEMP%.

2. The command processor searches executables in the CWD
(which happens to be %TEMP% here) first.

Fix:
~~~~

1. Create all extracted and temporary files with proper
permissions, i.e. writable/accessible only for
administrators, or in a directory where only
administrators can write/modify!.

2. Use fully qualified pathnames: ATTRIB is always
"%SystemRoot%\System32\attrib.exe"

Mitigations:
~~~~~~~~~~~~

1. Set the environment variable
NoDefaultCurrentDirectoryInExePath
to an arbitrary value: this excludes . from the search
path of the command processor (see
<https://msdn.microsoft.com/en-us/library/ms684269.aspx>).

2. Add the NTFS access control entry (D;OIIO;WP;;;WD) meaning
"deny execution of files for everyone, inheritable to files
in all subdirectories" to all TEMP directories.

JFTR: every batch script or program which fails after applying
of one of these changes is VULNERABLE and needs to be
fixed ANYWAY!

Demonstration/Proof of concept:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. Log on with the user account created during Windows setup;

2. Download
<https://skanthak.homepage.t-online.de/download/SENTINEL.EXE>
and save it as ATTRIB.COM or ATTRIB.EXE in your %TEMP%
directory;

3. Download
<https://downloadmirror.intel.com/28539/a08/Intel(R)%20Processor%20Identification%20Utility.exe>
and save it in an arbitrary directory;

4. Execute the just downloaded installation program
"Intel(R) Processor Identification Utility.exe"
and answer the prompts: upon completion, notice the
message boxes titled "Vulnerability and Exploit Detector",
displayed by %TEMP%\ATTRIB.COM or %TEMP%\ATTRIB.EXE
running elevated!

Alternate attack:
~~~~~~~~~~~~~~~~~

Any of the 77+ files extracted into %TEMP% can be modified by
the unprivileged user between creation and use, for example
with a simple batch script as shown below, which is started
any time before the executable installer:

--- intel.cmd ---
@echo off
:WAIT
if not exist "%TEMP%\AI_EXTUI_BIN_*" goto :WAIT
for /D %%? in ("%TEMP%\AI_EXTUI_BIN_*") do set FOOBAR=%%?
rem now replace for example "%FOOBAR%\viewer.exe" with
rem an arbitrary executable
--- EOF ---

As soon as one of these files is executed during installation,
the attacker gains administrative privileges.


Vulnerability #3:
=================

Denial of service

Reason: see vulnerability #1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Fix: see vulnerability #1
~~~~~~~~~~~~~~~~~~~~~~~~~

Demonstration/Proof of concept:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. Log on with the user account created during Windows setup;

2. Add the NTFS access control entry (D;OIIO;WP;;;WD) meaning
"deny execution of files for everyone, inheritable to files
in all subdirectories" to your %TEMP% directory;

3. Download
<https://downloadmirror.intel.com/28539/a08/Intel(R)%20Processor%20Identification%20Utility.exe>
and save it in an arbitrary directory;

4. Execute the just downloaded installation program
"Intel(R) Processor Identification Utility.exe":
notice the error messages displayed from Windows
Installer due to non-executable DLLs written in
the %TEMP% directory!


Timeline:
=========

2019-07-17 first vulnerability report sent to vendor

2019-07-18 Intel's PSIRT opens case #2208018370

2019-07-28 Intel's PSIRT confirms reported vulnerability

2019-08-01 second vulnerability report sent to vendor


stay tuned, and FAR away from executable installers!
Stefan Kanthak

PS: wrapping an MSI installer in an executable self-extractor
is COMPLETE nonsense!
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close