lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <778DC9E75C6E40CC90DC1031E0BA90B5@W340>
Date: Wed, 26 Sep 2018 20:31:29 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Executable installers are vulnerable^WEVIL (case 57):
	arbitrary code execution WITH escalation of privilege
	viaIntel Extreme Tuning Utility

Hi @ll,

the executable installer of the Intel Extreme Tuning Utility,
version 6.4.1.23 (Latest), released 5/18/2018, available from
<https://downloadmirror.intel.com/24075/eng/XTU-Setup.exe> via
<https://downloadcenter.intel.com/download/24075/Intel-Extreme-Tuning-Utility-Intel-XTU->
is (SURPRISE!) vulnerable.

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H


Vulnerability #0:
=================

The executable installer XTU-Setup.exe comes with at least two
OUTDATED and UNSUPPORTED runtime components from Microsoft, one
of which has known and long fixed vulnerabilities!

Component #1:
~~~~~~~~~~~~~

Microsoft SQL Server Compact 3.5 SP2 ENU

This is end-of-life since 4/10/2018; see
<https://support.microsoft.com/en-us/lifecycle/search?alpha=Microsoft+SQL+Server+Compact+3.5>


Component #2:
~~~~~~~~~~~~~

Microsoft Visual C++ 2005 Runtime 8.0.50727.762

Visual C++ 2005 is end-of-life since 4/12/2016, more than TWO
years ago; see
<https://support.microsoft.com/en-us/lifecycle/search?alpha=Microsoft+Visual+C%2B%2B+2005>

The latest Visual C++ 2005 Runtime is version 8.0.50727.4940,
published 4/12/2011, updated, 6/14/2011, i.e. SEVEN+ years ago.
See <https://support.microsoft.com/en-us/help/2467175>
and <https://support.microsoft.com/en-us/help/2538242/ms11-025-description-of-the-security-update-for-visual-c-2005-sp1-redi>

Also see
<https://support.microsoft.com/en-us/help/2977003/the-latest-supported-visual-c-downloads>
<https://support.microsoft.com/en-us/help/2661358/minimum-service-pack-levels-for-microsoft-vc-redistributable-packages>

The icing on the cake: XTU-Setup.exe tries to install the OUTDATED
and VULNERABLE Microsoft Visual C++ 2005 Runtime 8.0.50727.762 even
if a newer version is already installed!

That's a pretty good example for AWFUL BAD software engineering!


Vulnerability #1:
=================

The vcredist_x86.exe package included in XTU-Setup.exe and executed
by it was built with Wix toolset 3.6

See <http://seclists.org/bugtraq/2016/Jan/105>
and <https://www.firegiant.com/blog/2016/1/20/wix-v3.10.2-released/>

I recommend to exercise ENHANCED INTERROGATIONS with Microsoft about
their SLOPPY attitude to software security: the fixes were released
about 2.5 years ago, in cooperation with Microsoft, FireGiant and me,
but Microsoft failed or was to lazy to update their installer packages.


Demonstrations/proof of concepts:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

These are for STANDARD installations of Windows, i.e. where the
user account created during Windows setup is used.
This precondition is met on typical installations of Windows:
according to Microsoft's own security intelligence reports, about
1/2 to 3/4 of the about 600 million Windows installations which
send telemetry data have only ONE active user account.
See <https://www.microsoft.com/security/sir>


A) for the arbitrary code execution with elevation of privilege
---------------------------------------------------------------

1. follow the instructions from
   <https://skanthak.homepage.t-online.de/minesweeper.html>
   and build the non-forwarding DLLDUMMY.DLL in your %TEMP%
   directory;

2. create the following batch script:

   --- wixstdba.cmd ---
   :WIXSTDBA
   @if not exist "%temp%\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\wixstdba.dll" goto :WIXSTDBA
   copy "%TEMP%\dlldummy.dll" "%temp%\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\wixstdba.dll"
   --- EOF ---

3. run the batch script per double click;

4. run XTU-Setup.exe: notice the message boxes displayed from the
   WIXSTDBA.DLL copied into the subdirectory of %TEMP%.


B) for the denial of service
----------------------------

1. add the NTFS access control list entry (D;OIIO;WP;;;WD) meaning
   "deny execution of files in this directory for everyone,
   inheritable to all subdirectories" to the (user's) %TEMP%
   directory.

   NOTE: this does NOT need administrative privileges!

2. execute XTU-Setup.exe: notice the message box displaying the
   failure of the installation about 3/4 way through.


STAY FAR AWAY FROM INTEL'S VULNERABLE CRAPWARE!


stay tuned
Stefan Kanthak


Timeline
~~~~~~~~

2017-09-04    vulnerability report sent to Intel

              no answer, not even an acknowledgement of receipt

2018-03-22    vulnerability report resent to Intel

2018-05-18    updated installers published by Intel, but no security
              advisory

2018-06-05    vulnerability report for the updated but still vulnerable
              installers sent to Intel

2018-09-11    security advisory published by Intel:
              <https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00162.html>

2018-09-26    own security advisory published

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ