This blog post highlights a trivial privilege escalation vulnerability in Intel Driver & Support Assistant. Intel Driver & Support Assistant is an application for keeping drivers, firmware and software packages up-to-date on systems using Intel hardware.

When we first contacted Intel we were informed, that another researcher already had reported the same vulnerability. We were furthermore informed, that the vulnerability would be fixed in 60 days or sooner. Improsec’s Responsible Disclosure policy dictates a 90 day period for the security measures to be designed, developed, tested and implemented with customers before we publish information about the vulnerability, and that time has passed now.

During the 60 days several new versions of the application were released, from 20.5.20 to 20.8.30.6.

However the vulnerability is still present in the newest version.

CVE registered

CVE-2020-12302

Affected versions

20.5.20 at the time of discovery.

20.8.30.6 at the time of public disclosure.

Timeline

• 22/05/20 - Intel Product Security Incident Response Team is e-mailed with detailed description

• 22/05/20 - Intel Product Security Incident Response Team informs that they are investigating the issue.

• 08/06/20 - Intel Product Security Incident Response Team confirms the vulnerability and informs us that the vulnerability has been reported previously. The vulnerability is currently being mitigated.

• 10/06/20 - Intel Product Security Incident Response Team informs that a patch should be available within 60 days. CVE-2020-12302 has been allocated for the vulnerability.

• 26/08/20 – Vulnerability is disclosed without a patch.

Productpage

• http://www.intel.com/content/www/us/en/support/detect.html

• https://www.intel.com/content/www/us/en/support/intel-driver-support-assistant.html

Changelog

• https://www.intel.com/content/www/us/en/support/topics/idsa-faq.html

Walkthrough

Viewing the management rights for the service “Intel® SUR QC SAM” for “Everyone” on a default installation, showed that all users had the rights to start the service executable. By default, the service executable is set to “Manual” start-up type.

Starting the service with Windows built-in command line service program ”sc”.

During the start-up process the service executable tries to load a DLL called “python3.dll”, first from the root of the “C:\”-drive and then from the “C:\DLLs\” directory. Both fails as the file is non-existing. The executables automatically closes when it’s done processing (about 1-5 seconds after start).

The problem is likely caused by the file “pyconfig.h” in “C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\Include\” directory that defines search paths for the “python3.dll” file.

As even low privileged users by default has the rights to create directories in the root of “C:\”, any user can create the missing “DLLs” directory and place a malicious DLL-file called “python3.dll” in the directory.

Starting the services executable again will load the malicious DLL-file and execute our payload.

Sample code for payload DLL-file.