Intel Extreme Tuning Utility Code Execution / Privilege Escalation

Intel Extreme Tuning Utility version suffers from code execution, privilege escalation, and denial of service vulnerabilities.

MD5 | b97fc3e513620c2444e56ab028d820d5

Hi @ll,

the executable installer of the Intel Extreme Tuning Utility,
version (Latest), released 5/18/2018, available from
<> via
is (SURPRISE!) vulnerable.


Vulnerability #0:

The executable installer XTU-Setup.exe comes with at least two
OUTDATED and UNSUPPORTED runtime components from Microsoft, one
of which has known and long fixed vulnerabilities!

Component #1:

Microsoft SQL Server Compact 3.5 SP2 ENU

This is end-of-life since 4/10/2018; see

Component #2:

Microsoft Visual C++ 2005 Runtime 8.0.50727.762

Visual C++ 2005 is end-of-life since 4/12/2016, more than TWO
years ago; see

The latest Visual C++ 2005 Runtime is version 8.0.50727.4940,
published 4/12/2011, updated, 6/14/2011, i.e. SEVEN+ years ago.
See <>
and <>

Also see

The icing on the cake: XTU-Setup.exe tries to install the OUTDATED
and VULNERABLE Microsoft Visual C++ 2005 Runtime 8.0.50727.762 even
if a newer version is already installed!

That's a pretty good example for AWFUL BAD software engineering!

Vulnerability #1:

The vcredist_x86.exe package included in XTU-Setup.exe and executed
by it was built with Wix toolset 3.6

See <>
and <>

I recommend to exercise ENHANCED INTERROGATIONS with Microsoft about
their SLOPPY attitude to software security: the fixes were released
about 2.5 years ago, in cooperation with Microsoft, FireGiant and me,
but Microsoft failed or was to lazy to update their installer packages.

Demonstrations/proof of concepts:

These are for STANDARD installations of Windows, i.e. where the
user account created during Windows setup is used.
This precondition is met on typical installations of Windows:
according to Microsoft's own security intelligence reports, about
1/2 to 3/4 of the about 600 million Windows installations which
send telemetry data have only ONE active user account.
See <>

A) for the arbitrary code execution with elevation of privilege

1. follow the instructions from
and build the non-forwarding DLLDUMMY.DLL in your %TEMP%

2. create the following batch script:

--- wixstdba.cmd ---
@if not exist "%temp%\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\wixstdba.dll" goto :WIXSTDBA
copy "%TEMP%\dlldummy.dll" "%temp%\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\wixstdba.dll"
--- EOF ---

3. run the batch script per double click;

4. run XTU-Setup.exe: notice the message boxes displayed from the
WIXSTDBA.DLL copied into the subdirectory of %TEMP%.

B) for the denial of service

1. add the NTFS access control list entry (D;OIIO;WP;;;WD) meaning
"deny execution of files in this directory for everyone,
inheritable to all subdirectories" to the (user's) %TEMP%

NOTE: this does NOT need administrative privileges!

2. execute XTU-Setup.exe: notice the message box displaying the
failure of the installation about 3/4 way through.


stay tuned
Stefan Kanthak


2017-09-04 vulnerability report sent to Intel

no answer, not even an acknowledgement of receipt

2018-03-22 vulnerability report resent to Intel

2018-05-18 updated installers published by Intel, but no security

2018-06-05 vulnerability report for the updated but still vulnerable
installers sent to Intel

2018-09-11 security advisory published by Intel:

2018-09-26 own security advisory published

Related Posts