Intel Extreme Tuning Utility 6.4.1.23 Code Execution / Privilege Escalation Vulnerabilities

🗓️ 30 Sep 2018 00:00:00Reported by zdtType

zdt🔗 0day.today👁 80 Views

Intel Extreme Tuning Utility 6.4.1.23 Code Execution / Privilege Escalation Vulnerabilities from outdated and vulnerable Microsoft components, including Microsoft SQL Server Compact 3.5 SP2 ENU and Microsoft Visual C++ 2005 Runtime 8.0.50727.762, executed by XTU-Setup.exe

Intel Extreme Tuning Utility 6.4.1.23 Code Execution / Privilege Escalation

Hi @ll,

the executable installer of the Intel Extreme Tuning Utility,
version 6.4.1.23 (Latest), released 5/18/2018, available from
<https://downloadmirror.intel.com/24075/eng/XTU-Setup.exe> via
<https://downloadcenter.intel.com/download/24075/Intel-Extreme-Tuning-Utility-Intel-XTU->
is (SURPRISE!) vulnerable.

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H


Vulnerability #0:
=================

The executable installer XTU-Setup.exe comes with at least two
OUTDATED and UNSUPPORTED runtime components from Microsoft, one
of which has known and long fixed vulnerabilities!

Component #1:
~~~~~~~~~~~~~

Microsoft SQL Server Compact 3.5 SP2 ENU

This is end-of-life since 4/10/2018; see
<https://support.microsoft.com/en-us/lifecycle/search?alpha=Microsoft+SQL+Server+Compact+3.5>


Component #2:
~~~~~~~~~~~~~

Microsoft Visual C++ 2005 Runtime 8.0.50727.762

Visual C++ 2005 is end-of-life since 4/12/2016, more than TWO
years ago; see
<https://support.microsoft.com/en-us/lifecycle/search?alpha=Microsoft+Visual+C%2B%2B+2005>

The latest Visual C++ 2005 Runtime is version 8.0.50727.4940,
published 4/12/2011, updated, 6/14/2011, i.e. SEVEN+ years ago.
See <https://support.microsoft.com/en-us/help/2467175>
and <https://support.microsoft.com/en-us/help/2538242/ms11-025-description-of-the-security-update-for-visual-c-2005-sp1-redi>

Also see
<https://support.microsoft.com/en-us/help/2977003/the-latest-supported-visual-c-downloads>
<https://support.microsoft.com/en-us/help/2661358/minimum-service-pack-levels-for-microsoft-vc-redistributable-packages>

The icing on the cake: XTU-Setup.exe tries to install the OUTDATED
and VULNERABLE Microsoft Visual C++ 2005 Runtime 8.0.50727.762 even
if a newer version is already installed!

That's a pretty good example for AWFUL BAD software engineering!


Vulnerability #1:
=================

The vcredist_x86.exe package included in XTU-Setup.exe and executed
by it was built with Wix toolset 3.6

See <http://seclists.org/bugtraq/2016/Jan/105>
and <https://www.firegiant.com/blog/2016/1/20/wix-v3.10.2-released/>

I recommend to exercise ENHANCED INTERROGATIONS with Microsoft about
their SLOPPY attitude to software security: the fixes were released
about 2.5 years ago, in cooperation with Microsoft, FireGiant and me,
but Microsoft failed or was to lazy to update their installer packages.


Demonstrations/proof of concepts:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

These are for STANDARD installations of Windows, i.e. where the
user account created during Windows setup is used.
This precondition is met on typical installations of Windows:
according to Microsoft's own security intelligence reports, about
1/2 to 3/4 of the about 600 million Windows installations which
send telemetry data have only ONE active user account.
See <https://www.microsoft.com/security/sir>


A) for the arbitrary code execution with elevation of privilege
---------------------------------------------------------------

1. follow the instructions from
   <https://skanthak.homepage.t-online.de/minesweeper.html>
   and build the non-forwarding DLLDUMMY.DLL in your %TEMP%
   directory;

2. create the following batch script:

   --- wixstdba.cmd ---
   :WIXSTDBA
   @if not exist "%temp%\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\wixstdba.dll" goto :WIXSTDBA
   copy "%TEMP%\dlldummy.dll" "%temp%\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\wixstdba.dll"
   --- EOF ---

3. run the batch script per double click;

4. run XTU-Setup.exe: notice the message boxes displayed from the
   WIXSTDBA.DLL copied into the subdirectory of %TEMP%.


B) for the denial of service
----------------------------

1. add the NTFS access control list entry (D;OIIO;WP;;;WD) meaning
   "deny execution of files in this directory for everyone,
   inheritable to all subdirectories" to the (user's) %TEMP%
   directory.

   NOTE: this does NOT need administrative privileges!

2. execute XTU-Setup.exe: notice the message box displaying the
   failure of the installation about 3/4 way through.


STAY FAR AWAY FROM INTEL'S VULNERABLE CRAPWARE!


stay tuned
Stefan Kanthak


Timeline
~~~~~~~~

2017-09-04    vulnerability report sent to Intel

              no answer, not even an acknowledgement of receipt

2018-03-22    vulnerability report resent to Intel

2018-05-18    updated installers published by Intel, but no security
              advisory

2018-06-05    vulnerability report for the updated but still vulnerable
              installers sent to Intel

2018-09-11    security advisory published by Intel:
              <https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00162.html>

2018-09-26    own security advisory published

#  0day.today [2021-10-30]  #

30 Sep 2018 00:00Current

1.3Low risk

Vulners AI Score1.3