Nytro Posted May 20, 2019 Report Share Posted May 20, 2019 Technical Advisory: Intel Driver Support & Assistance – Local Privilege Escalation Vendor: Intel Vendor URL: http://www.intel.com/ Versions affected: Intel Driver Support & Assistance prior to version 19.4.18 Systems Affected: Microsoft Windows Author: Richard Warren <richard.warren[at]nccgroup[dot]com> Advisory URL / CVE Identifier: CVE-2019-11114. Risk: Medium Summary This vulnerability allows a low privileged user to escalate their privileges to SYSTEM. Location Intel Driver Support & Assistance - DSAService (DSACore.dll) Impact Upon successful exploitation, arbitrary file read and write as SYSTEM is achieved, leading to local privilege escalation. Details The Intel Driver & Support Assistant Software, which allows users to update their drivers and software on Intel-based machines - suffers from a number of logic based issues which result in both arbitrary file read and write as SYSTEM. This can be exploited by a low privileged local attacker to achieve local privilege escalation. The Intel Driver & Support Assistant (DSA) software service (DSAService) runs under the highly privileged SYSTEM account. The DSAService runs an HTTP REST server on a TCP port between 28380-28384 (for HTTPS) and 28385-28389 (for HTTP) in order for the web browser to communicate with the DSA service when carrying out updates. DSA also contains a component called DSATray, running as a low-privileged child process of DSAService. DSATray allows the user to change certain settings within DSA, such as the logging and downloads directory – which specify where DSA will download driver installers, or where DSAService will store its log files. In order for the low privileged DSATray process to communicate these settings to the higher privileged service, DSAService exposes a WCF service, available over a named-pipe instance. This named pipe does not require any privileges to read or write to, as shown below: >pipelist.exe PipeList v1.02 - Lists open named pipes Copyright (C) 2005-2016 Mark Russinovich Sysinternals - www.sysinternals.com Pipe Name Instances Max Instances --------- --------- ------------- --SNIP-- 7adb97bb-ffbe-468a-8859-6b3b63f7e418 8 -1 >accesschk.exe \pipe\7adb97bb-ffbe-468a-8859-6b3b63f7e418 Accesschk v6.12 - Reports effective permissions for securable objects Copyright (C) 2006-2017 Mark Russinovich Sysinternals - www.sysinternals.com \\.\Pipe\7adb97bb-ffbe-468a-8859-6b3b63f7e418 RW Everyone RW NT AUTHORITY\SYSTEM RW BUILTIN\Administrators The log folder can be reconfigured by a low privileged user, either via the DSATray GUI itself, or via the SetLogDirectory WCF method. Under normal circumstances, the DSA log files are not writeable by a low privileged user (as shown below), however as a low privileged user can set a custom log directory, these permissions can be bypassed by modifying the log directory setting. >accesschk.exe C:\ProgramData\Intel\DSA\ Accesschk v6.12 - Reports effective permissions for securable objects Copyright (C) 2006-2017 Mark Russinovich Sysinternals - www.sysinternals.com C:\ProgramData\Intel\DSA\Service.log RW NT AUTHORITY\SYSTEM RW BUILTIN\Administrators R BUILTIN\Users C:\ProgramData\Intel\DSA\Service.log.bak RW NT AUTHORITY\SYSTEM RW BUILTIN\Administrators R BUILTIN\Users C:\ProgramData\Intel\DSA\Tray.log RW NT AUTHORITY\SYSTEM RW BUILTIN\Administrators RW DESKTOP-HOHGEL9\bob R BUILTIN\Users C:\ProgramData\Intel\DSA\UpdateService.log RW NT AUTHORITY\SYSTEM RW BUILTIN\Administrators R BUILTIN\Users Finally, in vulnerable versions the DSAService does not impersonate the logged-on user before writing to the log file(s), nor does it check whether the log directory contains Symbolic links. If an attacker configures the log folder to a writeable directory, then they can use a symlink/mount point/hardlink to read or write arbitrary files. Combined with log poisoning this can lead to local privilege escalation. Arbitrary file read can be achieved by creating a hard link from Detailed-System-Report.html to the file the attacker wishes to read, and then calling the “report/save” REST method on the DSAService local REST server. The content of the target file will be returned within the HTTP response. Arbitrary file write can be achieved by creating a Symlink Chain (using James Forshaw’s CreateSymlink.exe tool), pointing the System.log file to a file of the attacker’s choice, switching the log directory and subsequently sending any arbitrary content to the DSAService local REST server. Any content sent within the POST request will be logged verbosely to the System.log file. Combined with other vectors this can result in code execution as SYSTEM. NCC Group provided a proof of concept exploit demonstrating the above vulnerability to Intel on the 23rd of April 2019. Intel released DSA version 19.4.18 on May 15th 2019. This updated version of the software adds a number of new checks: DSACore!GenerateHtmlReport now checks whether the file is a Symbolic/Hardlink. A new check is added to DSACore!IsValidDirectory which is called when the log directory is set. Recommendation Upgrade Intel DSA version 19.4.18, or newer. Vendor Communication April 23, 2019: Vulnerability disclosed to Intel April 23, 2019: Confirmation of receipt from Intel April 30, 2019: Intel confirm issue reproduced and that they are working on a fix May 14, 2019: Intel releases DSA version 19.4.18, addressing the issue reported May 14, 2019: Checked with Intel that CVE-2019-11114 definitely correlates to the LPE vulnerability reported to them. May 14, 2019: Intel confirmed CVE-2019-11114 is the correct CVE for the issue reported. May 15, 2019: NCC Group advisory released About NCC Group NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity. Published date: 15 May 2019 Written by: Richard Warren Sursa: https://www.nccgroup.trust/uk/our-research/technical-advisory-intel-driver-support-and-assistance-local-privilege-escalation/ Quote Link to comment Share on other sites More sharing options...
