Connect with us

Hi, what are you looking for?

Latest

Intel, Please Stop Assisting Me

Intel, Please Stop Assisting Me

 

Intel, Please Stop Assisting Me

This publish focuses on two vulnerabilities the CyberArk Labs crew uncovered within the Intel Help Assistant that affected the tens of millions of Home windows machines that run this software program. The primary vulnerability is of an arbitrary file deletion, which is sort of widespread amongst update-related applications and the second is a simple full privilege escalation vulnerability that means that you can run code as NT AUTHORITYSYSTEM.

These vulnerabilities have since been disclosed and Intel has issued a repair.

Whereas each vulnerabilities can result in a full privilege escalation, for the needs of this weblog, we’ll deal with the arbitrary delete vulnerability because it is a little more complicated. We may also contact on the second, which is a trivial arbitrary write with arbitrary content material vulnerability.

That is the fourth a part of the analysis sequence – you possibly can learn, half 1, half 2, half Three and half Four on the CyberArk Risk Analysis Weblog.

TL;DR

Intel Help Assistant exposes the native Home windows machine to privilege escalation. By operating a non-privileged software program, or by going to https://www.intel.com/content material/www/us/en/help/intel-driver-support-assistant.html.

Invoking the Service

The Intel Help Assistant, as its identify states, is software program that’s designed to help the native person find lacking drivers and offering updates upon launch. To take action, it should run in a privileged context in order that it may possibly set up new software program on the system. Because of this, we must always anticipate a service or another form of privileged software program that can do this. Analyzing this additional, the structure is moderately sophisticated. There are 4 processes; two providers and two helper applications which might be answerable for the entire shebang

Intel, Please Stop Assisting MeDetermine 1. Discover the integrity stage of the primary two processes.

The primary and most essential service is the DSAService, which primarily acts as a supervisor. It’s answerable for downloading the brand new software program, putting in drivers, and monitoring current merchandise.

One other privileged part is the DSAUpdateService, which runs and installs new patches, as we are going to talk about later.

The underside two are answerable for person interplay. You, as a daily person, can run the DSATray.exe consumer, which can provoke the start of an replace session on the native machine. Apart from that, DSATray will fireplace the method DSATray.exe, which can open a browser window and show the next:

Intel, Please Stop Assisting MeDetermine 2. The DSATray.exe course of opens this webpage in your browser

Now, we have now a scanning animation that can ultimately point out what software program we have to set up. However earlier than this, DSAService begins in search of the at present put in drivers on our machine. It is going to verify the model and see if we’ve missed some software program or a patch. DSAService writes its standing replace to a log listing (%programdatapercentIntelDSA), which it does extensively. This log listing isn’t admin protected and is one thing that may be exploited (we’ll present that in a bit).

Again to our browser, which as a reminder, we are able to entry as a daily person. Scanning the system for updates is the established order with any supportupdate applications, and all software program that has this module of a privileged service speaking with a daily person program is vulnerable to EoP bugs.

Throughout our scan, I begin my course of monitor, filtering for the next:

Intel, Please Stop Assisting MeDetermine 3. Right here’s the filter that I used when checking Intel SupportAssistant. Notice that I included many related operations for file manipulation assaults and the suffixes of the goal path which might be recorded.

Oddly, I see that DSAService.exe appears to be like for some executables that resemble installers in an area folder inside my Downloads listing, which is, in fact, not admin protected. The service checks if three recordsdata exist within the Intel Driver and Help Assistant Listing.

Intel, Please Stop Assisting MeDetermine 4. DSAService in search of installations in Downloads.

It’s a good technique to search for lacking recordsdata once you attempt to exploit file manipulation bugs (observe the PATH NOT FOUND end result).

Now, there is no such thing as a purpose for these executables to be there within the first place. Except they’re leftovers of a earlier set up that was stopped within the center for any purpose, we are able to benefit from this data by understanding that DSAService.exe or DSAUpdateService do file operations on recordsdata in an unprotected folder. Hopefully, we are able to trigger these providers to both create a file that’s alleged to be there and redirect it to our liking or to execute a binary as a privileged software program.

If we return to the browser, we are able to see that I missed two updates – one for a WiFi driver and a second for a Bluetooth driver. It’s straightforward to see that the CreateFile operations that ended up with PATH NOT FOUND on the lacking binaries correspond to those we have now within the webpage, beside the igfx-win10_100.7985.exe binary (and, admittedly, I’ve no clue why it’s there contemplating it doesn’t have to be up to date from my exams).

Intel, Please Stop Assisting MeDetermine 5. My poor PC wants these two.

If we attempt to make good with the software program and press the Obtain all button, the DSAService tries once more to seek out earlier copies of the would-be up to date software program in C:UsersJohnDownloadIntel Driver and Help Assistant listing. However what occurs if we put these lacking recordsdata on this listing?

BUG 1, Arbitrary Delete

To know why the service appears to be like for these recordsdata and the way it reacts in the event that they exist or not, we must always discover solutions within the binary. Fortunately, each part of the Help Assistant consumer is written in Dot Web, which makes my job extremely simpler. My rule of thumb when “reversing” Dot Web purposes is all the time to look within the DLLs the applying hundreds from and deal with controllers with promising names like DSAServiceCore.Controllers.Community or DSAServiceCore.Controllers.Stream.

In there, we are able to discover many helpful strategies like IsUpdateAlreadyDownloaded in addition to a way referred to as Obtain.

Let’s take a look at how the Obtain methodology of DSAService works:

HttpWebRequest httpWebRequest = (HttpWebRequest)WebRequest.Create(this._downloadInfo.DownloadUrl);
International.Obtain.AddUserAgentToHttpWebRequest(httpWebRequest);

if (!SecurityController.ValidateHttpWebRequest(httpWebRequest))
{
this.DownloadState = DownloadState.Failed;
if (this.DownloadStopped != null)
{
International.Logging.TraceError(string.Format(“The Request URL ({0}) for driver {1} is invalid. Can’t obtain.”, this._downloadInfo.DownloadUrl, this._downloadInfo.RecordId), base.GetType(), “Obtain”);
this.DownloadStopped(this, new DownloadStoppedRestEventArgs(this._downloadInfo.RecordId, DownloadState.Failed));
}
this.DownloadThreadExitedEvent.Set();
}
else
{
string textual content = Path.Mix(this._downloadDirectory, this._downloadInfo.FileName);
FileSystemSafetyController fileSystemSafetyController = new FileSystemSafetyController(new FileSystemController());
if (fileSystemSafetyController.IsFileSafe(textual content) != PathSafetyEnum.SafeFile)
{
strive
{
if (File.Exists(textual content))

File.Delete(textual content);

}
catch
{
}
if (fileSystemSafetyController.IsFileSafe(textual content) != PathSafetyEnum.SafeFile)

throw new Exception(textual content + ” isn’t secure”);

}
}

In the beginning of the strive block, we are able to see the service communicates with the downloading server, which is a mirroring website that hosts the downloads. If it succeeds in downloading the payload, which it shouldn’t have any drawback doing, it goes to the else block then performs an fascinating name to a way named IsFileSafe with one argument; the trail of the would-be written binary on disk.

public PathSafetyEnum IsFileSafe(string path)
{
if (string.IsNullOrEmpty(path))
{
throw new ArgumentException();
}
if (this._fileSystem.JunctionPointExists(path))
{
return PathSafetyEnum.JunctionPoint;
}
if (this._fileSystem.DirectoryExists(path))
{
return PathSafetyEnum.FileIsDirectory;
}
PathSafetyEnum pathSafetyEnum = this.IsDirectorySafe(Path.GetDirectoryName(path));
if (pathSafetyEnum != PathSafetyEnum.SafeDirectory)
{
return pathSafetyEnum;
}

if (this._fileSystem.FileExists(path))
{
if (this._fileSystem.FileIsSymbolicLink(path))
{
return PathSafetyEnum.FileSymbolicLink;

}

if (this._fileSystem.FileHasReparsePoint(path))
{
return PathSafetyEnum.FileReparsePoint;
}
if (this._fileSystem.FileHasHardLinks(path))
{
return PathSafetyEnum.FileHardLink;
}
}
return PathSafetyEnum.SafeFile;
}

The textual content argument to this perform is the trail that can be used when the server writes the payload into the disk. It is going to now go for a sequence of exams that can be certain it’s a “secure” place to be written in.

In our case, if we create an NTFS mount level or a junction (doesn’t actually matter), its methodology will return the worth of PathSafetyEnum.JunctionPoint.

The return worth PathSafetyEnum.JunctionPoint is, in fact, totally different than PathSafetyEnum.SafeFile. This may trigger this system to enter the if assertion (Code Snippet 2), which checks if the file exists; if it does, then it deletes it, no questions requested.

So mainly, we are able to reliably get right into a code path that permits us to delete an arbitrary file.

What DSAService does to perform that is to delete earlier situations of the would-be-updated drivers. It does it to provide “room” to the newer model earlier than downloading its downloads folder. This by itself is an okay factor to do, however the entire downloading course of is finished with out impersonating the native person, which may be very useful by way of EoP, but in addition problematic.

We will see right here that if we do a easy combo of a mount level to RPC Management + object supervisor symlink, we get the arbitrary delete vulnerability. For those who want to learn extra concerning the assault, you possibly can learn my earlier weblog right here.

Intel, Please Stop Assisting MeDetermine 6. Delete file in place.

Right here, we are able to see DSAService opens the file for studying and checks its content material to know if this “driver” is updated. In our case, it’s not a driver, only a easy file contained in the protected listing C:Home windows. The service continues by deleting this file earlier than attempting to obtain a more moderen one.

Intel, Please Stop Assisting MeDetermine 7

Think about malware utilizing this primitive to delete recordsdata as NT AUTHORITYSYSTEM. It may create a replica of protected recordsdata, encrypt them, then will delete the unique ones with excessive privileges – all probably undetected by anti-malware options because it doesn’t contain a code injection. Additionally, this may be finished by a trusted signed Intel service, which gives even fewer causes to suspect something malicious. Whereas spawning a system shell with solely an arbitrary delete vulnerability isn’t dependable for privilege escalation, it may possibly nonetheless work with different primitives.

Race Situation

However wait, can’t we use the WriteFile operation for arbitrary file creation assault? The Obtain methodology will certainly delete any current file, but when the file doesn’t exist, like within the case of concentrating on a brand new file, it ought to create a brand new one, proper?

It seems we are able to win right here – the service will do a delete operation adopted by a name to IsFileSafe methodology on the specified obtain path, which can return PathSafetyEnum.JunctionPoint once more.

Now, if the file doesn’t exist and it’s not a junction of any form, then the service will start writing the payload from reminiscence into the disk, which results in a TOCTOU drawback.

If we are able to create a mount level + symlink after the verify, then we are going to get to the code path of the creation of the brand new to be put in file.

How can we do it? By utilizing OpLocks, in fact. However don’t get too excited. After successful the race situation, the ACLs of the payload isn’t permissive. This implies we are able to create arbitrary recordsdata in arbitrary areas, however we are able to’t change the content material of recordsdata. That is nice for denial of service assaults, creating recordsdata that bug verify the system upon reboot (there are tons on the market), however this doesn’t assist us to get system shell for us.

Intel, Please Stop Assisting MeDetermine 8

Bug 2, A Shared Useful resource = System Shell

Throughout this set up frenzy, I seen some odd habits DSAService.exe was writing and updating a bunch of recordsdata inside C:ProgramDataIntelDSA. The very first thing I did was to verify the permission stage of this DSA listing. It seems, this listing and its mother or father listing should not admin-ACLed. Due to this fact, any service that does an I/O operation on recordsdata inside may be exploited by both symlink assault or DLL Hijacking. If you’re involved in listening to how I found these kinds of bugs and easy methods to exploit them robotically, you possibly can check out a chat I did at HITB 2020 (Lockdown version this 12 months).

In our case, we centered on one in every of a bunch of shared recordsdata which might be being dealt with by the Intel Help Assistant software program pack. That is an XML file referred to as DXDiag.xml. What’s so particular about this file, amongst different recordsdata that reside in C:ProgramDataIntelDSA ? This file is being dealt with each by the method DSAService.exe and by DSATray.exe. Resulting from this reality, the XML file DXDiag.xml ought to have permissive permission on it. By itself, this isn’t a nasty factor, however the service does a write file operation on it once more, not in an impersonated thread, and this time it doesn’t name the IsSafeFile methodology earlier than doing the write operation.

Intel, Please Stop Assisting MeDetermine 9

Arbitrary Write With Arbitrary Content material

As you possibly can see, we are able to redirect this write file operation that’s been finished by the service to arbitrary create and write. After that, it is just a matter of making a mount level to RPC Management and a symlink from DXDiag.xml to C:Windowsext.dll. Proceed by urgent “Rescan” on the internet interface, and you might be golden. With a purpose to resolve which arbitrary DLL identify you need to choose, simply select one in every of many choices you might have between many lacking DLLs the system tries to load. For extra studying on this subject, take a look at this weblog from itm4n or this by James Forshaw.

Kernel Degree Mitigation

For safety distributors on the market, you probably have a kernel mini-filter driver, you possibly can forestall the CreateFile operation from following the symlink by specifying (to a point) IO_STOP_ON_SYMLINK within the Choices argument within the IoCreateFile methodology. Oddly, this flag will be solely used from kernel mode and I haven’t seen it being utilized by anu drivers to this point.

Driver builders may see if the symlink object within the object supervisor is pointing on a person writeable path within the object supervisor to know if this symlink was created for nefarious functions. I await to see the primary AVEDR options that use it to dam this file-system assault.

Wrapping Up

There are two root causes of those bugs which might be straightforward to repair. The primary one is about realizing the default permission ranges on directories in Home windows. A privileged software program should validate its vacation spot path and that the file that’s being edited is admin protected. The second is that we want perceive that client-service relationships are probably troublesome and have to be dealt with with care.

You may additionally need to check out CVE-2020-5316, a vulnerability in Dell Help Help, which can be a privileged software program that’s answerable for automated updates of tens of millions of computer systems. On this case, the vulnerability is because of a service that seemed for a DLL in a spot it wasn’t alleged to. It’s for that reason that these providers are fairly good candidates for file manipulation assaults and a good way for attacker to escalate their privileges.

Disclosure Timeline

July 21, 2019 – Vulnerabilities reported to Intel

July 23, 2019 – Intel Opened a case 2208036168

October 7, 2019 – Intel reproduced the vulnerabilities, confirmed {that a} patch can be launched in Q2 2020.

November 2019 – July 2020 – Continued communication with Intel inquiring about standing

July 9, 2020 – Intel gives the official patch launch date, November 10, 2020

November 10, 2020 – Patch launched & CVE Issued – CVE-2020-22460

*** It is a Safety Bloggers Community syndicated weblog from CyberArk authored by Eran Shimony. Learn the unique publish at: https://www.cyberark.com/threat-research-blog/intel-please-stop-assisting-me/

intel driver install failed to start,download write error intel,intel computing improvement program,intel driver and support assistant install,is intel driver and support assistant safe

You May Also Like

Hosting

The latest round of MITRE ATT&CK evaluations proved yet again that Microsoft customers can trust they are fully protected even in the face of...

Hosting

On Thursday, April 23rd, 2020, Canonical Ltd, the makers of Ubuntu Linux distribution officially released the long-awaited Ubuntu 20.04 version code-named “Focal Fossa”, it...

Hosting

As the robot process automation (RPA) market becomes more and more dynamic, more and more companies are trying to integrate RPA into their business...

Latest

Virtual Machine Manager is one of the best hypervisors available for the Linux desktop. This is well-designed and well-functioning QEMU/KVM virtualization software that takes...