Intel SSD Toolbox 3.4.3 DLL Hijacking

2017-05-31T00:00:00
ID PACKETSTORM:142751
Type packetstorm
Reporter Stefan Kanthak
Modified 2017-05-31T00:00:00

Description

                                        
                                            `Hi @ll,  
  
executable installers built with Intels Installation Framework,  
for example "Intel SSD Toolbox - v3.4.3.exe", available from  
<https://downloadcenter.intel.com/download/26574>, expose two  
vulnerabilities, both resulting in arbitrary code execution  
with escalation of privilege.  
  
Vulnerability #1:  
~~~~~~~~~~~~~~~~~  
  
On a fully patched Windows 7 SP1 they load and execute (at least)  
Cabinet.dll, Version.dll, RichEd20.dll, UXTheme.dll or DMWAPI.dll  
(on other versions of Windows different DLLs may be affected)  
from the directory they are stored (their so-called "application  
directory") instead Windows' "system directory"  
%SystemRoot%\System32\", resulting in arbitrary code execution.  
  
DLL hijacking is a 20 year old, well-known and well-documented  
vulnerability, and a typical (but ubiquituous) beginner's error:  
see <https://cwe.mitre.org/data/definitions/426.html>,  
<https://cwe.mitre.org/data/definitions/427.html>,  
<https://capec.mitre.org/data/definitions/471.html>,  
<https://technet.microsoft.com/en-us/library/2269637.aspx>,  
<https://msdn.microsoft.com/en-us/library/ff919712.aspx> and  
<https://msdn.microsoft.com/en-us/library/ms682586.aspx> plus  
<https://skanthak.homepage.t-online.de/!execute.html> for more  
documentation!  
  
For software downloaded with a web browser the "application  
directory" is typically the user's "Downloads" directory: see  
<http://seclists.org/fulldisclosure/2015/Nov/101> and  
<http://seclists.org/fulldisclosure/2015/Dec/86> plus  
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,  
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>,  
<http://seclists.org/fulldisclosure/2012/Aug/134> and  
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>  
  
Due to the specification "requireAdministrator" in the application  
manifest embedded within the executable, installers like  
"Intel SSD Toolbox - v3.4.3.exe" run with administrative privileges  
("protected" administrators are prompted for consent, unprivileged  
standard users are prompted for an administrator password),  
resulting in an escalation of privilege!  
  
If (one of) the DLLs named above get(s) planted in the users  
"Downloads" directory, for example per "drive-by download", this  
vulnerability becomes a remote code execution WITH escalation of  
privilege.  
  
  
Proof of concept/demonstration:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
1. visit <https://skanthak.homepage.t-online.de/sentinel.html>,  
download  
<https://skanthak.homepage.t-online.de/skanthak/download/SENTINEL.DLL>  
and save it as Cabinet.dll in your "Downloads" directory, then  
copy it as Version.dll, RichEd20.dll, UXTheme.dll and DWMAPI.dll;  
  
2. visit <https://downloadcenter.intel.com/download/26574>, download  
<https://downloadmirror.intel.com/26574/eng/Intel%20SSD%20Toolbox%20-%20v3.4.3.exe>  
and save it in your "Downloads" directory;  
  
3. execute "Intel SSD Toolbox - v3.4.3.exe" from your "Downloads"  
directory;  
  
4. notice the message boxes displayed from the DLLs placed in  
step 1: PWNED!  
  
  
Mitigation & detection:  
~~~~~~~~~~~~~~~~~~~~~~~  
  
* NEVER run executable installers from your "Downloads" directory;  
  
* dump/avoid executable installers, use *.MSI instead!  
  
* see <https://skanthak.homepage.t-online.de/!execute.html> plus  
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>  
  
* also see <https://skanthak.homepage.t-online.de/verifier.html>  
  
  
Vulnerability #2:  
~~~~~~~~~~~~~~~~~  
  
On EVERY version of Windows these installers create UNSAFE  
(sub)directories "%TEMP%\IIF<abcd>.tmp\", "%TEMP%\IIF<abcd>.tmp\Lang\"  
and "%TEMP%\IIF<abcd>.tmp\Lang\<ll>-<CC>\", extract some dozen  
DLLs "%TEMP%\IIF<abcd>.tmp\Lang\<ll>-<CC>\setup.exe.dll" and load  
ALL of them with administrative privileges.  
  
An unprivileged attacker^Wuser can replace these DLLs between their  
creation and their use, again resulting in elevation of privilege.  
  
See <https://cwe.mitre.org/data/definitions/377.html> and  
<https://cwe.mitre.org/data/definitions/379.html> for this  
well-known and well-documented vulnerability.  
  
  
Proof of concept/demonstration:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
1. visit <https://skanthak.homepage.t-online.de/sentinel.html>,  
then download  
<https://skanthak.homepage.t-online.de/skanthak/download/SENTINEL.DLL>  
and save it in an arbitrary directory;  
  
2. save the following batch script in the same directory:  
  
--- IIF.CMD ---  
:WAIT  
@If Not Exist "%TEMP%\IIF????.tmp" Goto :WAIT  
For /D %%! In ("%TEMP%\IIF????.tmp") Do Set IIFTMP=%%!  
For /R "%IIFTMP%" %%! In (setup.exe.dll) Do Copy SENTINEL.DLL "%%!"  
Set IIFTMP=  
--- EOF ---  
  
3. start the batch script;  
  
4. execute "Intel SSD Toolbox - v3.4.3.exe".  
  
  
stay tuned  
Stefan Kanthak  
  
  
Timeline:  
~~~~~~~~~  
  
2017-03-06 vulnerability report sent to vendor  
  
2017-03-06 automatic reply "we received your report"  
  
2017-03-06 reply from vendor:  
"We will escalate this to the appropriate team and get  
back to you in the next couple of days."  
  
2017-03-14 followup from vendor:  
"Our technical team has confirmed the finding and an  
update is being created."  
  
2017-03-15 question sent to vendor:  
"Will all executable installers built with the  
vulnerable IIF be fixed, or just the one I picked?"  
  
2017-03-15 reply from vendor:  
"We are getting an update from the product team this  
week and will relay your concerns."  
  
2017-04-21 notication from vendor:  
"due to an unrelated problem we are delaying release  
until the week of May 22. I can provide you with a  
build that has the DLL hijacking fixed if you'd like."  
  
2017-04-21 answer to vendor: "yes, I'd like to test it!"  
  
2017-05-04 reply from vendor:  
"we produced an official build (not beta) toward the  
May 22 release, and we are very interested for you to  
put it through your 'minefield'"  
  
2017-05-05 notication from vendor:  
"fixed installer for the SSD toolbox available from  
<https://downloadcenter.intel.com/product/80096/Intel-SSD-Toolbox>  
and  
<https://downloadcenter.intel.com/product/80095/SSD-Software>"  
  
2017-05-11 resent question from 2017-03-15 to vendor:  
"Will all executable installers built with the  
vulnerable IIF be fixed, or just the one I picked?"  
  
2017-05-30 vendor publishes advisory INTEL-SA-00074  
<https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00074&languageid=en-fr>  
`