lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 31 Jan 2020 00:19:53 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <fulldisclosure@...lists.org>
Cc: <bugtraq@...urityfocus.com>
Subject: Executable installers are vulnerable^WEVIL (case 58): Intel® Processor Identification Utility - Windows* Version - arbitrary code execution with escalation of privilege

Hi @ll,

Intel® Processor Identification Utility - Windows* Version,
version 6.0.0211 from 2019-02-11, available from
<https://downloadmirror.intel.com/28539/a08/Intel(R)%20Processor%20Identification%20Utility.exe>
via <https://downloadcenter.intel.com/download/28539>, and
earlier versions 6.0.* are vulnerable: in default installations
of all supported versions of Windows (really: Windows Vista and
later), they allows arbitrary code execution WITH escalation of
privilege via two INDEPENDENT attack vectors; additionally they
suffer from a denial of service.

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CVSS 3 Score: 8.2 (High)


Vulnerability #1:
=================

Arbitrary code execution with escalation of privilege

Reason:
~~~~~~~

Use of ShellExecute() to run a batch script, i.e. use of file
association .bat: ShellExecute() reads the registry key
HKEY_CLASSES_ROOT to determine
1. the file type associated with any given file extension
   (here: .bat), and
2. the command line associated with the file type (here:
   batfile).
HKEY_CLASSES_ROOT is a virtual registry key, built from the
overlay of HKEY_LOCAL_MACHINE\SOFTWARE\Classes with
HKEY_CURRENT_USER\Software\Classes, i.e. the latter taking
precedence over the former.
HKEY_CURRENT_USER is under full control of the unprivileged
user who can hijack both the association of batfile to .bat
and the command lines associated with the verbs registered
for batfile.

Fix:
~~~~

Don't use ShellExecute() when running elevated, use
CreateProcess("C:\\Windows\\System32\\cmd.exe", "cmd.exe /C Call path\\filename.bat", ...)
instead!

Demonstration/Proof of concept:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. Log on with the user account created during Windows setup;

2. Download
   <https://skanthak.homepage.t-online.de/download/SENTINEL.EXE>
   and save it in an arbitrary directory;

3. Open a command prompt in the directory where you saved
   SENTINEL.EXE and run the following command line:
   REG.EXE ADD "HKEY_CURRENT_USER\Software\Classes\batfile\Shell\Open\Command" /VE /T REG_SZ /D "%CD%\SENTINEL.EXE" /F

4. Download
   <https://downloadmirror.intel.com/28539/a08/Intel(R)%20Processor%20Identification%20Utility.exe>
   and save it in an arbitrary directory;

5. Execute the just downloaded installation program
   "Intel(R) Processor Identification Utility.exe"
   and answer the prompts: upon completion, notice the
   message box titled "Vulnerability and Exploit Detector",
   displayed by SENTINEL.EXE running elevated!


Vulnerability #2:
=================

Arbitrary code execution with escalation of privilege

Reason:
~~~~~~~

UNSAFE %TEMP% directory used for 77+ files extracted from
both the executable installation program
"Intel(R) Processor Identification Utility.exe" and the
extracted MSI installer %TEMP%\AIE*.tmp, plus unqualified
filename ATTRIB used in the script %TEMP%\EXE*.tmp.bat

See <https://cwe.mitre.org/data/definitions/377.html>,
<https://cwe.mitre.org/data/definitions/378.html> and
<https://cwe.mitre.org/data/definitions/379.html>, plus
<https://cwe.mitre.org/data/definitions/426.html> and
<https://cwe.mitre.org/data/definitions/427.html>

1. In the user account created during Windows setup, any
   process running unprivileged has FULL access to %TEMP%.

2. The command processor searches executables in the CWD
   (which happens to be %TEMP% here) first.

Fix:
~~~~

1. Create all extracted and temporary files with proper
   permissions, i.e. writable/accessible only for
   administrators, or in a directory where only
   administrators can write/modify!.

2. Use fully qualified pathnames: ATTRIB is always
   "%SystemRoot%\System32\attrib.exe"

Mitigations:
~~~~~~~~~~~~

1. Set the environment variable
       NoDefaultCurrentDirectoryInExePath
   to an arbitrary value: this excludes . from the search
   path of the command processor (see
   <https://msdn.microsoft.com/en-us/library/ms684269.aspx>).

2. Add the NTFS access control entry (D;OIIO;WP;;;WD) meaning
   "deny execution of files for everyone, inheritable to files
   in all subdirectories" to all TEMP directories.

JFTR: every batch script or program which fails after applying
      of one of these changes is VULNERABLE and needs to be
      fixed ANYWAY!

Demonstration/Proof of concept:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. Log on with the user account created during Windows setup;

2. Download
   <https://skanthak.homepage.t-online.de/download/SENTINEL.EXE>
   and save it as ATTRIB.COM or ATTRIB.EXE in your %TEMP%
   directory;

3. Download
   <https://downloadmirror.intel.com/28539/a08/Intel(R)%20Processor%20Identification%20Utility.exe>
   and save it in an arbitrary directory;

4. Execute the just downloaded installation program
   "Intel(R) Processor Identification Utility.exe"
   and answer the prompts: upon completion, notice the
   message boxes titled "Vulnerability and Exploit Detector",
   displayed by %TEMP%\ATTRIB.COM or %TEMP%\ATTRIB.EXE
   running elevated!

Alternate attack:
~~~~~~~~~~~~~~~~~

Any of the 77+ files extracted into %TEMP% can be modified by
the unprivileged user between creation and use, for example
with a simple batch script as shown below, which is started
any time before the executable installer:

--- intel.cmd ---
@echo off
:WAIT
if not exist "%TEMP%\AI_EXTUI_BIN_*" goto :WAIT
for /D %%? in ("%TEMP%\AI_EXTUI_BIN_*") do set FOOBAR=%%?
rem now replace for example "%FOOBAR%\viewer.exe" with
rem an arbitrary executable
--- EOF ---

As soon as one of these files is executed during installation,
the attacker gains administrative privileges.


Vulnerability #3:
=================

Denial of service

Reason: see vulnerability #1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Fix: see vulnerability #1
~~~~~~~~~~~~~~~~~~~~~~~~~

Demonstration/Proof of concept:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. Log on with the user account created during Windows setup;

2. Add the NTFS access control entry (D;OIIO;WP;;;WD) meaning
   "deny execution of files for everyone, inheritable to files
   in all subdirectories" to your %TEMP% directory;

3. Download
   <https://downloadmirror.intel.com/28539/a08/Intel(R)%20Processor%20Identification%20Utility.exe>
   and save it in an arbitrary directory;

4. Execute the just downloaded installation program
   "Intel(R) Processor Identification Utility.exe":
   notice the error messages displayed from Windows
   Installer due to non-executable DLLs written in
   the %TEMP% directory!


Timeline:
=========

2019-07-17    first vulnerability report sent to vendor

2019-07-18    Intel's PSIRT opens case #2208018370

2019-07-28    Intel's PSIRT confirms reported vulnerability

2019-08-01    second vulnerability report sent to vendor


stay tuned, and FAR away from executable installers!
Stefan Kanthak

PS: wrapping an MSI installer in an executable self-extractor
    is COMPLETE nonsense!

Powered by blists - more mailing lists