Intel Rapid Storage Technology User Interface And Driver 15.9.0.1015 DLL Hijacking

`Hi @ll,  
  
the executable installer of the  
Intel(r) Rapid Storage Technology (Intel(r) RST) User Interface and Driver,  
version 15.9.0.1015 (LATEST for Windows 7), released 11/14/2017, available  
from <https://downloadmirror.intel.com/27400/eng/SetupRST.exe> via  
<https://downloadcenter.intel.com/download/27400/Intel-Rapid-Storage-Technology-Intel-RST-User-Interface-and-Driver>  
is (SURPRISE!) vulnerable!  
  
CVSS score: 7.5/HIGH CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H  
  
See Intel's security advisory SA-00153  
<https://www.intel.com/content/www/us/en/security-center/advisory/INTEL-SA-00153.html>  
  
  
Vulnerability #1:  
=================  
  
Although running with ELEVATED (administrative) privileges  
(the "application manifest" embedded in SetupRST.exe specifies  
"requireAdministrator"), on STANDARD installations of Windows,  
i.e. where the user account created during Windows setup is used,  
the executable installer creates an UNPROTECTED subdirectory  
IIF<abcd>.tmp in the user's %TEMP% directory.  
  
For this well-known and well-documented vulnerability see  
<https://cwe.mitre.org/data/definitions/377.html> and  
<https://cwe.mitre.org/data/definitions/379.html> plus  
<https://capec.mitre.org/data/definitions/29.html>  
  
The subdirectory IIF<abcd>.tmp inherits the NTFS ACLs from its  
parent %TEMP%, allowing "full access" for the unprivileged  
(owning) user, who can replace/overwrite the DLLs  
  
%TEMP%\IIF<abcd>.tmp\Resource.dll  
%TEMP%\IIF<abcd>.tmp\??-??\IntelCommon.dll  
  
later loaded and executed by the installer between their creation  
and use.  
Since these DLLs are executed with administrative privileges, this  
vulnerability results in arbitrary code execution WITH escalation  
of privilege.  
  
NOTE: the precondition "user account created during Windows setup"  
is met on typical installations of Windows: according to  
Microsoft's own security intelligence reports, about 1/2 to  
3/4 of the about 600 million Windows installations which send  
telemetry data have only ONE active user account.  
<https://www.microsoft.com/security/sir>  
  
  
Demonstration/proof of concept:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
1. visit <https://skanthak.homepage.t-online.de/sentinel.html>,  
then download  
<https://skanthak.homepage.t-online.de/skanthak/download/SENTINEL.DLL>  
and save it in an arbitrary directory;  
  
2. save the following batch script in the same directory:  
  
--- IIF.CMD ---  
:WAIT  
@If Not Exist "%TEMP%\IIF????.tmp" Goto :WAIT  
For /D %%! In ("%TEMP%\IIF????.tmp") Do Set IIFTMP=%%!  
Copy /Y SENTINEL.DLL "%IIFTMP%\Resource.dll"  
For /R "%IIFTMP%" %%! In (IntelCommon.dll) Do Copy /Y SENTINEL.DLL "%%!"  
Set IIFTMP=  
--- EOF ---  
  
3. start the batch script per double-click;  
  
4. execute SetupRST.exe: notice the message boxes displayed from  
the replaced DLLs.  
  
  
Fixes:  
~~~~~~  
  
1. ALWAYS specify a PROPER "security descriptor" when you create  
(temporary) files or directories in potentially unsafe (i.e.  
user-writable) paths like the %TEMP% directory!  
See <https://msdn.microsoft.com/en-us/library/aa363855.aspx>  
and use the second parameter of CreateDirectory() to properly  
restrict the permissions when running elevated!  
  
2. NEVER load resource(-only) DLLs for execution!  
See <https://msdn.microsoft.com/en-us/library/ms684179.aspx>  
and use the third parameter of LoadLibraryEx() to specify  
LOAD_LIBRARY_AS_DATAFILE or LOAD_LIBRARY_AS_IMAGE_RESOURCE  
  
  
Mitigations:  
~~~~~~~~~~~~  
  
1. DONT use executable installers; stay far away from such  
eternally vulnerable crap!  
  
2. NEVER run executable installers in unsafe environments,  
especially NEVER from UNSAFE directories like "%TEMP%\" or  
"%USERPROFILE%\Downloads\"  
  
3. DISABLE execution of files (via NTFS ACL, as shown below) in  
the systems and every users %TEMP% and every %USERPROFILE%  
(see <https://skanthak.homepage.t-online.de/SAFER.html>)!  
  
4. Practice STRICT privilege separation: use a your privileged  
"Administrator" account (especially the account created during  
Windows setup) ONLY for administrative tasks, and COMPLETELY  
separate unprivileged user accounts, with elevation requests  
DISABLED, for your everyday/regular work.  
  
  
  
Vulnerability #2:  
=================  
  
A variant of #1, resulting in denial of service.  
  
  
Demonstration/proof of concept:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
1. add the NTFS access control list entry (D;OIIO;WP;;;WD) meaning  
"deny execution of files in this directory for everyone,  
inheritable to all subdirectories" to the (user's) %TEMP%  
directory.  
  
NOTE: this does NOT need administrative privileges!  
  
2. execute SetupRST.exe: notice the message box  
"error loading language resource" displayed.  
  
  
Fix:  
~~~~  
  
Create (temporary) files and directories with PROPER permissions!  
See above.  
  
  
stay tuned  
Stefan Kanthak  
  
  
Timeline:  
~~~~~~~~~  
  
2018-06-06 vulnerability report sent to vendor  
  
2018-06-10 Intel acknowledges receipt  
  
2018-06-14 Intel confirms reported vulnerability  
  
2018-10-26 CVE-2018-3635 assigned  
  
2018-11-13 Intel publishes security advisory SA-00153  
  
2018-11-16 vulnerability report published  
  
  
  
`