Intel Extreme Tuning Utility 6.4.1.23 Code Execution / Privilege Escalation

`Hi @ll,  
  
the executable installer of the Intel Extreme Tuning Utility,  
version 6.4.1.23 (Latest), released 5/18/2018, available from  
<https://downloadmirror.intel.com/24075/eng/XTU-Setup.exe> via  
<https://downloadcenter.intel.com/download/24075/Intel-Extreme-Tuning-Utility-Intel-XTU->  
is (SURPRISE!) vulnerable.  
  
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H  
  
  
Vulnerability #0:  
=================  
  
The executable installer XTU-Setup.exe comes with at least two  
OUTDATED and UNSUPPORTED runtime components from Microsoft, one  
of which has known and long fixed vulnerabilities!  
  
Component #1:  
~~~~~~~~~~~~~  
  
Microsoft SQL Server Compact 3.5 SP2 ENU  
  
This is end-of-life since 4/10/2018; see  
<https://support.microsoft.com/en-us/lifecycle/search?alpha=Microsoft+SQL+Server+Compact+3.5>  
  
  
Component #2:  
~~~~~~~~~~~~~  
  
Microsoft Visual C++ 2005 Runtime 8.0.50727.762  
  
Visual C++ 2005 is end-of-life since 4/12/2016, more than TWO  
years ago; see  
<https://support.microsoft.com/en-us/lifecycle/search?alpha=Microsoft+Visual+C%2B%2B+2005>  
  
The latest Visual C++ 2005 Runtime is version 8.0.50727.4940,  
published 4/12/2011, updated, 6/14/2011, i.e. SEVEN+ years ago.  
See <https://support.microsoft.com/en-us/help/2467175>  
and <https://support.microsoft.com/en-us/help/2538242/ms11-025-description-of-the-security-update-for-visual-c-2005-sp1-redi>  
  
Also see  
<https://support.microsoft.com/en-us/help/2977003/the-latest-supported-visual-c-downloads>  
<https://support.microsoft.com/en-us/help/2661358/minimum-service-pack-levels-for-microsoft-vc-redistributable-packages>  
  
The icing on the cake: XTU-Setup.exe tries to install the OUTDATED  
and VULNERABLE Microsoft Visual C++ 2005 Runtime 8.0.50727.762 even  
if a newer version is already installed!  
  
That's a pretty good example for AWFUL BAD software engineering!  
  
  
Vulnerability #1:  
=================  
  
The vcredist_x86.exe package included in XTU-Setup.exe and executed  
by it was built with Wix toolset 3.6  
  
See <http://seclists.org/bugtraq/2016/Jan/105>  
and <https://www.firegiant.com/blog/2016/1/20/wix-v3.10.2-released/>  
  
I recommend to exercise ENHANCED INTERROGATIONS with Microsoft about  
their SLOPPY attitude to software security: the fixes were released  
about 2.5 years ago, in cooperation with Microsoft, FireGiant and me,  
but Microsoft failed or was to lazy to update their installer packages.  
  
  
Demonstrations/proof of concepts:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
These are for STANDARD installations of Windows, i.e. where the  
user account created during Windows setup is used.  
This precondition is met on typical installations of Windows:  
according to Microsoft's own security intelligence reports, about  
1/2 to 3/4 of the about 600 million Windows installations which  
send telemetry data have only ONE active user account.  
See <https://www.microsoft.com/security/sir>  
  
  
A) for the arbitrary code execution with elevation of privilege  
---------------------------------------------------------------  
  
1. follow the instructions from  
<https://skanthak.homepage.t-online.de/minesweeper.html>  
and build the non-forwarding DLLDUMMY.DLL in your %TEMP%  
directory;  
  
2. create the following batch script:  
  
--- wixstdba.cmd ---  
:WIXSTDBA  
@if not exist "%temp%\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\wixstdba.dll" goto :WIXSTDBA  
copy "%TEMP%\dlldummy.dll" "%temp%\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\wixstdba.dll"  
--- EOF ---  
  
3. run the batch script per double click;  
  
4. run XTU-Setup.exe: notice the message boxes displayed from the  
WIXSTDBA.DLL copied into the subdirectory of %TEMP%.  
  
  
B) for the denial of service  
----------------------------  
  
1. add the NTFS access control list entry (D;OIIO;WP;;;WD) meaning  
"deny execution of files in this directory for everyone,  
inheritable to all subdirectories" to the (user's) %TEMP%  
directory.  
  
NOTE: this does NOT need administrative privileges!  
  
2. execute XTU-Setup.exe: notice the message box displaying the  
failure of the installation about 3/4 way through.  
  
  
STAY FAR AWAY FROM INTEL'S VULNERABLE CRAPWARE!  
  
  
stay tuned  
Stefan Kanthak  
  
  
Timeline  
~~~~~~~~  
  
2017-09-04 vulnerability report sent to Intel  
  
no answer, not even an acknowledgement of receipt  
  
2018-03-22 vulnerability report resent to Intel  
  
2018-05-18 updated installers published by Intel, but no security  
advisory  
  
2018-06-05 vulnerability report for the updated but still vulnerable  
installers sent to Intel  
  
2018-09-11 security advisory published by Intel:  
<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00162.html>  
  
2018-09-26 own security advisory published  
  
  
`