Exploit for Intel Processor Identification Utility 6.0.0211 Privilege Escalation

Name: Exploit for Intel Processor Identification Utility 6.0.0211 Privilege Escalation
Rating: 5 (144 reviews)
2020-01-31 | CVSS 0.8
## https://sploitus.com/exploit?id=PACKETSTORM:156165
Hi @ll,  
  
Intel® Processor Identification Utility - Windows* Version,  
version 6.0.0211 from 2019-02-11, available from  
<https://downloadmirror.intel.com/28539/a08/Intel(R)%20Processor%20Identification%20Utility.exe>  
via <https://downloadcenter.intel.com/download/28539>, and  
earlier versions 6.0.* are vulnerable: in default installations  
of all supported versions of Windows (really: Windows Vista and  
later), they allows arbitrary code execution WITH escalation of  
privilege via two INDEPENDENT attack vectors; additionally they  
suffer from a denial of service.  
  
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H  
CVSS 3 Score: 8.2 (High)  
  
  
Vulnerability #1:  
=================  
  
Arbitrary code execution with escalation of privilege  
  
Reason:  
~~~~~~~  
  
Use of ShellExecute() to run a batch script, i.e. use of file  
association .bat: ShellExecute() reads the registry key  
HKEY_CLASSES_ROOT to determine  
1. the file type associated with any given file extension  
(here: .bat), and  
2. the command line associated with the file type (here:  
batfile).  
HKEY_CLASSES_ROOT is a virtual registry key, built from the  
overlay of HKEY_LOCAL_MACHINE\SOFTWARE\Classes with  
HKEY_CURRENT_USER\Software\Classes, i.e. the latter taking  
precedence over the former.  
HKEY_CURRENT_USER is under full control of the unprivileged  
user who can hijack both the association of batfile to .bat  
and the command lines associated with the verbs registered  
for batfile.  
  
Fix:  
~~~~  
  
Don't use ShellExecute() when running elevated, use  
CreateProcess("C:\\Windows\\System32\\cmd.exe", "cmd.exe /C Call path\\filename.bat", ...)  
instead!  
  
Demonstration/Proof of concept:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
1. Log on with the user account created during Windows setup;  
  
2. Download  
<https://skanthak.homepage.t-online.de/download/SENTINEL.EXE>  
and save it in an arbitrary directory;  
  
3. Open a command prompt in the directory where you saved  
SENTINEL.EXE and run the following command line:  
REG.EXE ADD "HKEY_CURRENT_USER\Software\Classes\batfile\Shell\Open\Command" /VE /T REG_SZ /D "%CD%\SENTINEL.EXE" /F  
  
4. Download  
<https://downloadmirror.intel.com/28539/a08/Intel(R)%20Processor%20Identification%20Utility.exe>  
and save it in an arbitrary directory;  
  
5. Execute the just downloaded installation program  
"Intel(R) Processor Identification Utility.exe"  
and answer the prompts: upon completion, notice the  
message box titled "Vulnerability and Exploit Detector",  
displayed by SENTINEL.EXE running elevated!  
  
  
Vulnerability #2:  
=================  
  
Arbitrary code execution with escalation of privilege  
  
Reason:  
~~~~~~~  
  
UNSAFE %TEMP% directory used for 77+ files extracted from  
both the executable installation program  
"Intel(R) Processor Identification Utility.exe" and the  
extracted MSI installer %TEMP%\AIE*.tmp, plus unqualified  
filename ATTRIB used in the script %TEMP%\EXE*.tmp.bat  
  
See <https://cwe.mitre.org/data/definitions/377.html>,  
<https://cwe.mitre.org/data/definitions/378.html> and  
<https://cwe.mitre.org/data/definitions/379.html>, plus  
<https://cwe.mitre.org/data/definitions/426.html> and  
<https://cwe.mitre.org/data/definitions/427.html>  
  
1. In the user account created during Windows setup, any  
process running unprivileged has FULL access to %TEMP%.  
  
2. The command processor searches executables in the CWD  
(which happens to be %TEMP% here) first.  
  
Fix:  
~~~~  
  
1. Create all extracted and temporary files with proper  
permissions, i.e. writable/accessible only for  
administrators, or in a directory where only  
administrators can write/modify!.  
  
2. Use fully qualified pathnames: ATTRIB is always  
"%SystemRoot%\System32\attrib.exe"  
  
Mitigations:  
~~~~~~~~~~~~  
  
1. Set the environment variable  
NoDefaultCurrentDirectoryInExePath  
to an arbitrary value: this excludes . from the search  
path of the command processor (see  
<https://msdn.microsoft.com/en-us/library/ms684269.aspx>).  
  
2. Add the NTFS access control entry (D;OIIO;WP;;;WD) meaning  
"deny execution of files for everyone, inheritable to files  
in all subdirectories" to all TEMP directories.  
  
JFTR: every batch script or program which fails after applying  
of one of these changes is VULNERABLE and needs to be  
fixed ANYWAY!  
  
Demonstration/Proof of concept:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
1. Log on with the user account created during Windows setup;  
  
2. Download  
<https://skanthak.homepage.t-online.de/download/SENTINEL.EXE>  
and save it as ATTRIB.COM or ATTRIB.EXE in your %TEMP%  
directory;  
  
3. Download  
<https://downloadmirror.intel.com/28539/a08/Intel(R)%20Processor%20Identification%20Utility.exe>  
and save it in an arbitrary directory;  
  
4. Execute the just downloaded installation program  
"Intel(R) Processor Identification Utility.exe"  
and answer the prompts: upon completion, notice the  
message boxes titled "Vulnerability and Exploit Detector",  
displayed by %TEMP%\ATTRIB.COM or %TEMP%\ATTRIB.EXE  
running elevated!  
  
Alternate attack:  
~~~~~~~~~~~~~~~~~  
  
Any of the 77+ files extracted into %TEMP% can be modified by  
the unprivileged user between creation and use, for example  
with a simple batch script as shown below, which is started  
any time before the executable installer:  
  
--- intel.cmd ---  
@echo off  
:WAIT  
if not exist "%TEMP%\AI_EXTUI_BIN_*" goto :WAIT  
for /D %%? in ("%TEMP%\AI_EXTUI_BIN_*") do set FOOBAR=%%?  
rem now replace for example "%FOOBAR%\viewer.exe" with  
rem an arbitrary executable  
--- EOF ---  
  
As soon as one of these files is executed during installation,  
the attacker gains administrative privileges.  
  
  
Vulnerability #3:  
=================  
  
Denial of service  
  
Reason: see vulnerability #1  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Fix: see vulnerability #1  
~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Demonstration/Proof of concept:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
1. Log on with the user account created during Windows setup;  
  
2. Add the NTFS access control entry (D;OIIO;WP;;;WD) meaning  
"deny execution of files for everyone, inheritable to files  
in all subdirectories" to your %TEMP% directory;  
  
3. Download  
<https://downloadmirror.intel.com/28539/a08/Intel(R)%20Processor%20Identification%20Utility.exe>  
and save it in an arbitrary directory;  
  
4. Execute the just downloaded installation program  
"Intel(R) Processor Identification Utility.exe":  
notice the error messages displayed from Windows  
Installer due to non-executable DLLs written in  
the %TEMP% directory!  
  
  
Timeline:  
=========  
  
2019-07-17 first vulnerability report sent to vendor  
  
2019-07-18 Intel's PSIRT opens case #2208018370  
  
2019-07-28 Intel's PSIRT confirms reported vulnerability  
  
2019-08-01 second vulnerability report sent to vendor  
  
  
stay tuned, and FAR away from executable installers!  
Stefan Kanthak  
  
PS: wrapping an MSI installer in an executable self-extractor  
is COMPLETE nonsense!