Intel Extreme Tuning Utility 6.4.1.23 Code Execution / Privilege Escalation

2018.09.29
Credit: Stefan Kanthak
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264

Hi @ll, the executable installer of the Intel Extreme Tuning Utility, version 6.4.1.23 (Latest), released 5/18/2018, available from <https://downloadmirror.intel.com/24075/eng/XTU-Setup.exe> via <https://downloadcenter.intel.com/download/24075/Intel-Extreme-Tuning-Utility-Intel-XTU-> is (SURPRISE!) vulnerable. CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Vulnerability #0: ================= The executable installer XTU-Setup.exe comes with at least two OUTDATED and UNSUPPORTED runtime components from Microsoft, one of which has known and long fixed vulnerabilities! Component #1: ~~~~~~~~~~~~~ Microsoft SQL Server Compact 3.5 SP2 ENU This is end-of-life since 4/10/2018; see <https://support.microsoft.com/en-us/lifecycle/search?alpha=Microsoft+SQL+Server+Compact+3.5> Component #2: ~~~~~~~~~~~~~ Microsoft Visual C++ 2005 Runtime 8.0.50727.762 Visual C++ 2005 is end-of-life since 4/12/2016, more than TWO years ago; see <https://support.microsoft.com/en-us/lifecycle/search?alpha=Microsoft+Visual+C%2B%2B+2005> The latest Visual C++ 2005 Runtime is version 8.0.50727.4940, published 4/12/2011, updated, 6/14/2011, i.e. SEVEN+ years ago. See <https://support.microsoft.com/en-us/help/2467175> and <https://support.microsoft.com/en-us/help/2538242/ms11-025-description-of-the-security-update-for-visual-c-2005-sp1-redi> Also see <https://support.microsoft.com/en-us/help/2977003/the-latest-supported-visual-c-downloads> <https://support.microsoft.com/en-us/help/2661358/minimum-service-pack-levels-for-microsoft-vc-redistributable-packages> The icing on the cake: XTU-Setup.exe tries to install the OUTDATED and VULNERABLE Microsoft Visual C++ 2005 Runtime 8.0.50727.762 even if a newer version is already installed! That's a pretty good example for AWFUL BAD software engineering! Vulnerability #1: ================= The vcredist_x86.exe package included in XTU-Setup.exe and executed by it was built with Wix toolset 3.6 See <http://seclists.org/bugtraq/2016/Jan/105> and <https://www.firegiant.com/blog/2016/1/20/wix-v3.10.2-released/> I recommend to exercise ENHANCED INTERROGATIONS with Microsoft about their SLOPPY attitude to software security: the fixes were released about 2.5 years ago, in cooperation with Microsoft, FireGiant and me, but Microsoft failed or was to lazy to update their installer packages. Demonstrations/proof of concepts: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ These are for STANDARD installations of Windows, i.e. where the user account created during Windows setup is used. This precondition is met on typical installations of Windows: according to Microsoft's own security intelligence reports, about 1/2 to 3/4 of the about 600 million Windows installations which send telemetry data have only ONE active user account. See <https://www.microsoft.com/security/sir> A) for the arbitrary code execution with elevation of privilege --------------------------------------------------------------- 1. follow the instructions from <https://skanthak.homepage.t-online.de/minesweeper.html> and build the non-forwarding DLLDUMMY.DLL in your %TEMP% directory; 2. create the following batch script: --- wixstdba.cmd --- :WIXSTDBA @if not exist "%temp%\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\wixstdba.dll" goto :WIXSTDBA copy "%TEMP%\dlldummy.dll" "%temp%\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\wixstdba.dll" --- EOF --- 3. run the batch script per double click; 4. run XTU-Setup.exe: notice the message boxes displayed from the WIXSTDBA.DLL copied into the subdirectory of %TEMP%. B) for the denial of service ---------------------------- 1. add the NTFS access control list entry (D;OIIO;WP;;;WD) meaning "deny execution of files in this directory for everyone, inheritable to all subdirectories" to the (user's) %TEMP% directory. NOTE: this does NOT need administrative privileges! 2. execute XTU-Setup.exe: notice the message box displaying the failure of the installation about 3/4 way through. STAY FAR AWAY FROM INTEL'S VULNERABLE CRAPWARE! stay tuned Stefan Kanthak Timeline ~~~~~~~~ 2017-09-04 vulnerability report sent to Intel no answer, not even an acknowledgement of receipt 2018-03-22 vulnerability report resent to Intel 2018-05-18 updated installers published by Intel, but no security advisory 2018-06-05 vulnerability report for the updated but still vulnerable installers sent to Intel 2018-09-11 security advisory published by Intel: <https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00162.html> 2018-09-26 own security advisory published


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top