Hi @ll, Intel® Processor Identification Utility - Windows* Version, version 6.0.0211 from 2019-02-11, available from <https://downloadmirror.intel.com/28539/a08/Intel(R)%20Processor%20Identification%20Utility.exe> via <https://downloadcenter.intel.com/download/28539>, and earlier versions 6.0.* are vulnerable: in default installations of all supported versions of Windows (really: Windows Vista and later), they allows arbitrary code execution WITH escalation of privilege via two INDEPENDENT attack vectors; additionally they suffer from a denial of service. CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS 3 Score: 8.2 (High) Vulnerability #1: ================= Arbitrary code execution with escalation of privilege Reason: ~~~~~~~ Use of ShellExecute() to run a batch script, i.e. use of file association .bat: ShellExecute() reads the registry key HKEY_CLASSES_ROOT to determine 1. the file type associated with any given file extension (here: .bat), and 2. the command line associated with the file type (here: batfile). HKEY_CLASSES_ROOT is a virtual registry key, built from the overlay of HKEY_LOCAL_MACHINE\SOFTWARE\Classes with HKEY_CURRENT_USER\Software\Classes, i.e. the latter taking precedence over the former. HKEY_CURRENT_USER is under full control of the unprivileged user who can hijack both the association of batfile to .bat and the command lines associated with the verbs registered for batfile. Fix: ~~~~ Don't use ShellExecute() when running elevated, use CreateProcess("C:\\Windows\\System32\\cmd.exe", "cmd.exe /C Call path\\filename.bat", ...) instead! Demonstration/Proof of concept: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. Log on with the user account created during Windows setup; 2. Download <https://skanthak.homepage.t-online.de/download/SENTINEL.EXE> and save it in an arbitrary directory; 3. Open a command prompt in the directory where you saved SENTINEL.EXE and run the following command line: REG.EXE ADD "HKEY_CURRENT_USER\Software\Classes\batfile\Shell\Open\Command" /VE /T REG_SZ /D "%CD%\SENTINEL.EXE" /F 4. Download <https://downloadmirror.intel.com/28539/a08/Intel(R)%20Processor%20Identification%20Utility.exe> and save it in an arbitrary directory; 5. Execute the just downloaded installation program "Intel(R) Processor Identification Utility.exe" and answer the prompts: upon completion, notice the message box titled "Vulnerability and Exploit Detector", displayed by SENTINEL.EXE running elevated! Vulnerability #2: ================= Arbitrary code execution with escalation of privilege Reason: ~~~~~~~ UNSAFE %TEMP% directory used for 77+ files extracted from both the executable installation program "Intel(R) Processor Identification Utility.exe" and the extracted MSI installer %TEMP%\AIE*.tmp, plus unqualified filename ATTRIB used in the script %TEMP%\EXE*.tmp.bat See <https://cwe.mitre.org/data/definitions/377.html>, <https://cwe.mitre.org/data/definitions/378.html> and <https://cwe.mitre.org/data/definitions/379.html>, plus <https://cwe.mitre.org/data/definitions/426.html> and <https://cwe.mitre.org/data/definitions/427.html> 1. In the user account created during Windows setup, any process running unprivileged has FULL access to %TEMP%. 2. The command processor searches executables in the CWD (which happens to be %TEMP% here) first. Fix: ~~~~ 1. Create all extracted and temporary files with proper permissions, i.e. writable/accessible only for administrators, or in a directory where only administrators can write/modify!. 2. Use fully qualified pathnames: ATTRIB is always "%SystemRoot%\System32\attrib.exe" Mitigations: ~~~~~~~~~~~~ 1. Set the environment variable NoDefaultCurrentDirectoryInExePath to an arbitrary value: this excludes . from the search path of the command processor (see <https://msdn.microsoft.com/en-us/library/ms684269.aspx>). 2. Add the NTFS access control entry (D;OIIO;WP;;;WD) meaning "deny execution of files for everyone, inheritable to files in all subdirectories" to all TEMP directories. JFTR: every batch script or program which fails after applying of one of these changes is VULNERABLE and needs to be fixed ANYWAY! Demonstration/Proof of concept: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. Log on with the user account created during Windows setup; 2. Download <https://skanthak.homepage.t-online.de/download/SENTINEL.EXE> and save it as ATTRIB.COM or ATTRIB.EXE in your %TEMP% directory; 3. Download <https://downloadmirror.intel.com/28539/a08/Intel(R)%20Processor%20Identification%20Utility.exe> and save it in an arbitrary directory; 4. Execute the just downloaded installation program "Intel(R) Processor Identification Utility.exe" and answer the prompts: upon completion, notice the message boxes titled "Vulnerability and Exploit Detector", displayed by %TEMP%\ATTRIB.COM or %TEMP%\ATTRIB.EXE running elevated! Alternate attack: ~~~~~~~~~~~~~~~~~ Any of the 77+ files extracted into %TEMP% can be modified by the unprivileged user between creation and use, for example with a simple batch script as shown below, which is started any time before the executable installer: --- intel.cmd --- @echo off :WAIT if not exist "%TEMP%\AI_EXTUI_BIN_*" goto :WAIT for /D %%? in ("%TEMP%\AI_EXTUI_BIN_*") do set FOOBAR=%%? rem now replace for example "%FOOBAR%\viewer.exe" with rem an arbitrary executable --- EOF --- As soon as one of these files is executed during installation, the attacker gains administrative privileges. Vulnerability #3: ================= Denial of service Reason: see vulnerability #1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Fix: see vulnerability #1 ~~~~~~~~~~~~~~~~~~~~~~~~~ Demonstration/Proof of concept: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. Log on with the user account created during Windows setup; 2. Add the NTFS access control entry (D;OIIO;WP;;;WD) meaning "deny execution of files for everyone, inheritable to files in all subdirectories" to your %TEMP% directory; 3. Download <https://downloadmirror.intel.com/28539/a08/Intel(R)%20Processor%20Identification%20Utility.exe> and save it in an arbitrary directory; 4. Execute the just downloaded installation program "Intel(R) Processor Identification Utility.exe": notice the error messages displayed from Windows Installer due to non-executable DLLs written in the %TEMP% directory! Timeline: ========= 2019-07-17 first vulnerability report sent to vendor 2019-07-18 Intel's PSIRT opens case #2208018370 2019-07-28 Intel's PSIRT confirms reported vulnerability 2019-08-01 second vulnerability report sent to vendor stay tuned, and FAR away from executable installers! Stefan Kanthak PS: wrapping an MSI installer in an executable self-extractor is COMPLETE nonsense!
