exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Intel Extreme Tuning Utility 6.4.1.23 Code Execution / Privilege Escalation

Intel Extreme Tuning Utility 6.4.1.23 Code Execution / Privilege Escalation
Posted Sep 28, 2018
Authored by Stefan Kanthak

Intel Extreme Tuning Utility version 6.4.1.23 suffers from code execution, privilege escalation, and denial of service vulnerabilities.

tags | exploit, denial of service, vulnerability, code execution
SHA-256 | 8ee640f811b6221313c74122f57a246a37deeed23bca3a80d265d6c2180dfcda

Intel Extreme Tuning Utility 6.4.1.23 Code Execution / Privilege Escalation

Change Mirror Download
Hi @ll,

the executable installer of the Intel Extreme Tuning Utility,
version 6.4.1.23 (Latest), released 5/18/2018, available from
<https://downloadmirror.intel.com/24075/eng/XTU-Setup.exe> via
<https://downloadcenter.intel.com/download/24075/Intel-Extreme-Tuning-Utility-Intel-XTU->
is (SURPRISE!) vulnerable.

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H


Vulnerability #0:
=================

The executable installer XTU-Setup.exe comes with at least two
OUTDATED and UNSUPPORTED runtime components from Microsoft, one
of which has known and long fixed vulnerabilities!

Component #1:
~~~~~~~~~~~~~

Microsoft SQL Server Compact 3.5 SP2 ENU

This is end-of-life since 4/10/2018; see
<https://support.microsoft.com/en-us/lifecycle/search?alpha=Microsoft+SQL+Server+Compact+3.5>


Component #2:
~~~~~~~~~~~~~

Microsoft Visual C++ 2005 Runtime 8.0.50727.762

Visual C++ 2005 is end-of-life since 4/12/2016, more than TWO
years ago; see
<https://support.microsoft.com/en-us/lifecycle/search?alpha=Microsoft+Visual+C%2B%2B+2005>

The latest Visual C++ 2005 Runtime is version 8.0.50727.4940,
published 4/12/2011, updated, 6/14/2011, i.e. SEVEN+ years ago.
See <https://support.microsoft.com/en-us/help/2467175>
and <https://support.microsoft.com/en-us/help/2538242/ms11-025-description-of-the-security-update-for-visual-c-2005-sp1-redi>

Also see
<https://support.microsoft.com/en-us/help/2977003/the-latest-supported-visual-c-downloads>
<https://support.microsoft.com/en-us/help/2661358/minimum-service-pack-levels-for-microsoft-vc-redistributable-packages>

The icing on the cake: XTU-Setup.exe tries to install the OUTDATED
and VULNERABLE Microsoft Visual C++ 2005 Runtime 8.0.50727.762 even
if a newer version is already installed!

That's a pretty good example for AWFUL BAD software engineering!


Vulnerability #1:
=================

The vcredist_x86.exe package included in XTU-Setup.exe and executed
by it was built with Wix toolset 3.6

See <http://seclists.org/bugtraq/2016/Jan/105>
and <https://www.firegiant.com/blog/2016/1/20/wix-v3.10.2-released/>

I recommend to exercise ENHANCED INTERROGATIONS with Microsoft about
their SLOPPY attitude to software security: the fixes were released
about 2.5 years ago, in cooperation with Microsoft, FireGiant and me,
but Microsoft failed or was to lazy to update their installer packages.


Demonstrations/proof of concepts:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

These are for STANDARD installations of Windows, i.e. where the
user account created during Windows setup is used.
This precondition is met on typical installations of Windows:
according to Microsoft's own security intelligence reports, about
1/2 to 3/4 of the about 600 million Windows installations which
send telemetry data have only ONE active user account.
See <https://www.microsoft.com/security/sir>


A) for the arbitrary code execution with elevation of privilege
---------------------------------------------------------------

1. follow the instructions from
<https://skanthak.homepage.t-online.de/minesweeper.html>
and build the non-forwarding DLLDUMMY.DLL in your %TEMP%
directory;

2. create the following batch script:

--- wixstdba.cmd ---
:WIXSTDBA
@if not exist "%temp%\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\wixstdba.dll" goto :WIXSTDBA
copy "%TEMP%\dlldummy.dll" "%temp%\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\wixstdba.dll"
--- EOF ---

3. run the batch script per double click;

4. run XTU-Setup.exe: notice the message boxes displayed from the
WIXSTDBA.DLL copied into the subdirectory of %TEMP%.


B) for the denial of service
----------------------------

1. add the NTFS access control list entry (D;OIIO;WP;;;WD) meaning
"deny execution of files in this directory for everyone,
inheritable to all subdirectories" to the (user's) %TEMP%
directory.

NOTE: this does NOT need administrative privileges!

2. execute XTU-Setup.exe: notice the message box displaying the
failure of the installation about 3/4 way through.


STAY FAR AWAY FROM INTEL'S VULNERABLE CRAPWARE!


stay tuned
Stefan Kanthak


Timeline
~~~~~~~~

2017-09-04 vulnerability report sent to Intel

no answer, not even an acknowledgement of receipt

2018-03-22 vulnerability report resent to Intel

2018-05-18 updated installers published by Intel, but no security
advisory

2018-06-05 vulnerability report for the updated but still vulnerable
installers sent to Intel

2018-09-11 security advisory published by Intel:
<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00162.html>

2018-09-26 own security advisory published


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close