This blog post highlights a trivial privilege escalation vulnerability in Intel Driver & Support Assistant. Intel Driver & Support Assistant is an application for keeping drivers, firmware and software packages up-to-date on systems using Intel hardware.
When we first contacted Intel we were informed, that another researcher already had reported the same vulnerability. We were furthermore informed, that the vulnerability would be fixed in 60 days or sooner. Improsec’s Responsible Disclosure policy dictates a 90 day period for the security measures to be designed, developed, tested and implemented with customers before we publish information about the vulnerability, and that time has passed now.
During the 60 days several new versions of the application were released, from 20.5.20 to 20.8.30.6.
However the vulnerability is still present in the newest version.
CVE registered
CVE-2020-12302
Affected versions
20.5.20 at the time of discovery.
20.8.30.6 at the time of public disclosure.
Timeline
22/05/20 - Intel Product Security Incident Response Team is e-mailed with detailed description
22/05/20 - Intel Product Security Incident Response Team informs that they are investigating the issue.
08/06/20 - Intel Product Security Incident Response Team confirms the vulnerability and informs us that the vulnerability has been reported previously. The vulnerability is currently being mitigated.
10/06/20 - Intel Product Security Incident Response Team informs that a patch should be available within 60 days. CVE-2020-12302 has been allocated for the vulnerability.
26/08/20 – Vulnerability is disclosed without a patch.
Productpage
Changelog
Walkthrough
Viewing the management rights for the service “Intel® SUR QC SAM” for “Everyone” on a default installation, showed that all users had the rights to start the service executable. By default, the service executable is set to “Manual” start-up type.
Starting the service with Windows built-in command line service program ”sc”.
During the start-up process the service executable tries to load a DLL called “python3.dll”, first from the root of the “C:\”-drive and then from the “C:\DLLs\” directory. Both fails as the file is non-existing. The executables automatically closes when it’s done processing (about 1-5 seconds after start).
The problem is likely caused by the file “pyconfig.h” in “C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\Include\” directory that defines search paths for the “python3.dll” file.
As even low privileged users by default has the rights to create directories in the root of “C:\”, any user can create the missing “DLLs” directory and place a malicious DLL-file called “python3.dll” in the directory.
Starting the services executable again will load the malicious DLL-file and execute our payload.
Sample code for payload DLL-file.