[<prev] [next>] [day] [month] [year] [list]
Message-ID: <59044DA8B28E4DF0A15221655BD015ED@H270>
Date: Fri, 31 Jan 2020 00:19:53 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <fulldisclosure@...lists.org>
Cc: bugtraq@...urityfocus.com
Subject: [FD] Executable installers are vulnerable^WEVIL (case 58): Intel® Processor Identification Utility - Windows* Version - arbitrary code execution with escalation of privilege
Hi @ll,
Intel® Processor Identification Utility - Windows* Version,
version 6.0.0211 from 2019-02-11, available from
<https://downloadmirror.intel.com/28539/a08/Intel(R)%20Processor%20Identification%20Utility.exe>
via <https://downloadcenter.intel.com/download/28539>, and
earlier versions 6.0.* are vulnerable: in default installations
of all supported versions of Windows (really: Windows Vista and
later), they allows arbitrary code execution WITH escalation of
privilege via two INDEPENDENT attack vectors; additionally they
suffer from a denial of service.
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CVSS 3 Score: 8.2 (High)
Vulnerability #1:
=================
Arbitrary code execution with escalation of privilege
Reason:
~~~~~~~
Use of ShellExecute() to run a batch script, i.e. use of file
association .bat: ShellExecute() reads the registry key
HKEY_CLASSES_ROOT to determine
1. the file type associated with any given file extension
(here: .bat), and
2. the command line associated with the file type (here:
batfile).
HKEY_CLASSES_ROOT is a virtual registry key, built from the
overlay of HKEY_LOCAL_MACHINE\SOFTWARE\Classes with
HKEY_CURRENT_USER\Software\Classes, i.e. the latter taking
precedence over the former.
HKEY_CURRENT_USER is under full control of the unprivileged
user who can hijack both the association of batfile to .bat
and the command lines associated with the verbs registered
for batfile.
Fix:
~~~~
Don't use ShellExecute() when running elevated, use
CreateProcess("C:\\Windows\\System32\\cmd.exe", "cmd.exe /C Call path\\filename.bat", ...)
instead!
Demonstration/Proof of concept:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. Log on with the user account created during Windows setup;
2. Download
<https://skanthak.homepage.t-online.de/download/SENTINEL.EXE>
and save it in an arbitrary directory;
3. Open a command prompt in the directory where you saved
SENTINEL.EXE and run the following command line:
REG.EXE ADD "HKEY_CURRENT_USER\Software\Classes\batfile\Shell\Open\Command" /VE /T REG_SZ /D "%CD%\SENTINEL.EXE" /F
4. Download
<https://downloadmirror.intel.com/28539/a08/Intel(R)%20Processor%20Identification%20Utility.exe>
and save it in an arbitrary directory;
5. Execute the just downloaded installation program
"Intel(R) Processor Identification Utility.exe"
and answer the prompts: upon completion, notice the
message box titled "Vulnerability and Exploit Detector",
displayed by SENTINEL.EXE running elevated!
Vulnerability #2:
=================
Arbitrary code execution with escalation of privilege
Reason:
~~~~~~~
UNSAFE %TEMP% directory used for 77+ files extracted from
both the executable installation program
"Intel(R) Processor Identification Utility.exe" and the
extracted MSI installer %TEMP%\AIE*.tmp, plus unqualified
filename ATTRIB used in the script %TEMP%\EXE*.tmp.bat
See <https://cwe.mitre.org/data/definitions/377.html>,
<https://cwe.mitre.org/data/definitions/378.html> and
<https://cwe.mitre.org/data/definitions/379.html>, plus
<https://cwe.mitre.org/data/definitions/426.html> and
<https://cwe.mitre.org/data/definitions/427.html>
1. In the user account created during Windows setup, any
process running unprivileged has FULL access to %TEMP%.
2. The command processor searches executables in the CWD
(which happens to be %TEMP% here) first.
Fix:
~~~~
1. Create all extracted and temporary files with proper
permissions, i.e. writable/accessible only for
administrators, or in a directory where only
administrators can write/modify!.
2. Use fully qualified pathnames: ATTRIB is always
"%SystemRoot%\System32\attrib.exe"
Mitigations:
~~~~~~~~~~~~
1. Set the environment variable
NoDefaultCurrentDirectoryInExePath
to an arbitrary value: this excludes . from the search
path of the command processor (see
<https://msdn.microsoft.com/en-us/library/ms684269.aspx>).
2. Add the NTFS access control entry (D;OIIO;WP;;;WD) meaning
"deny execution of files for everyone, inheritable to files
in all subdirectories" to all TEMP directories.
JFTR: every batch script or program which fails after applying
of one of these changes is VULNERABLE and needs to be
fixed ANYWAY!
Demonstration/Proof of concept:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. Log on with the user account created during Windows setup;
2. Download
<https://skanthak.homepage.t-online.de/download/SENTINEL.EXE>
and save it as ATTRIB.COM or ATTRIB.EXE in your %TEMP%
directory;
3. Download
<https://downloadmirror.intel.com/28539/a08/Intel(R)%20Processor%20Identification%20Utility.exe>
and save it in an arbitrary directory;
4. Execute the just downloaded installation program
"Intel(R) Processor Identification Utility.exe"
and answer the prompts: upon completion, notice the
message boxes titled "Vulnerability and Exploit Detector",
displayed by %TEMP%\ATTRIB.COM or %TEMP%\ATTRIB.EXE
running elevated!
Alternate attack:
~~~~~~~~~~~~~~~~~
Any of the 77+ files extracted into %TEMP% can be modified by
the unprivileged user between creation and use, for example
with a simple batch script as shown below, which is started
any time before the executable installer:
--- intel.cmd ---
@echo off
:WAIT
if not exist "%TEMP%\AI_EXTUI_BIN_*" goto :WAIT
for /D %%? in ("%TEMP%\AI_EXTUI_BIN_*") do set FOOBAR=%%?
rem now replace for example "%FOOBAR%\viewer.exe" with
rem an arbitrary executable
--- EOF ---
As soon as one of these files is executed during installation,
the attacker gains administrative privileges.
Vulnerability #3:
=================
Denial of service
Reason: see vulnerability #1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fix: see vulnerability #1
~~~~~~~~~~~~~~~~~~~~~~~~~
Demonstration/Proof of concept:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. Log on with the user account created during Windows setup;
2. Add the NTFS access control entry (D;OIIO;WP;;;WD) meaning
"deny execution of files for everyone, inheritable to files
in all subdirectories" to your %TEMP% directory;
3. Download
<https://downloadmirror.intel.com/28539/a08/Intel(R)%20Processor%20Identification%20Utility.exe>
and save it in an arbitrary directory;
4. Execute the just downloaded installation program
"Intel(R) Processor Identification Utility.exe":
notice the error messages displayed from Windows
Installer due to non-executable DLLs written in
the %TEMP% directory!
Timeline:
=========
2019-07-17 first vulnerability report sent to vendor
2019-07-18 Intel's PSIRT opens case #2208018370
2019-07-28 Intel's PSIRT confirms reported vulnerability
2019-08-01 second vulnerability report sent to vendor
stay tuned, and FAR away from executable installers!
Stefan Kanthak
PS: wrapping an MSI installer in an executable self-extractor
is COMPLETE nonsense!
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists