Intel Patches Security Flaws in Processor Diagnostic Tool
12.7.18 securityweek Vulnerebility
Intel has updated its Processor Diagnostic Tool to address vulnerabilities that could lead to arbitrary code execution and escalation of privileges.
The Intel Processor Diagnostic Tool (IPDT) is a piece of software designed to verify the functionality of an Intel processor. It can check for brand identification and operating frequency, test specific features, and perform a stress test on the processor.
The recently addressed vulnerabilities (two of which are tracked as CVE-18-3667 and CVE-18-3668) were found by Stephan Kanthak and affect the IPDT releases up to v4.1.0.24, Intel reveals.
Kanthak says he found a total of four vulnerabilities in the executable installers of Intel’s tool, three of which would lead to arbitrary code execution with escalation of privilege, and a fourth that could lead to denial of service.
The security flaws can be exploited in standard Windows installations where a user UAC-protected administrator account that is created during Windows setup is used, without elevation.
“This precondition holds for the majority of Windows installations: according to Microsoft's own security intelligence reports <https://www.microsoft.com/security/sir>, about 1/2 to 3/4 of the about 600 million Windows installations which send telemetry data have only ONE active user account,” Kanthak points out.
The issue is that the IPDT installer creates three files with improper permissions, thus opening the door to said vulnerabilities.
One issue was that the installer created a randomly named folder in the %TEMP% directory, copied itself into it, and then executed the copy. Because the folder and the copy inherit the NTFS access control list from %TEMP%, once execution of files from that directory is denied, the installer would fail to execute.
Another issue was that the copy of the executable self-extractor would run with administrative privileges, but the extracted payloads (the installers setup.exe and setup64.exe, and the batch script setup.bat) are dropped unprotected into the user's %TEMP% directory. The copy would also change directory to %TEMP% and execute the batch script %TEMP%\setup.bat.
“The extracted files inherit the NTFS ACLs from their parent %TEMP%, allowing ‘full access’ for the unprivileged (owning) user, who can replace/overwrite the files between their creation and execution. Since the files are executed with administrative privileges, this vulnerability results in arbitrary code execution with escalation of privilege,” the researcher notes.
Because setup.bat calls setup.exe and setup64.exe without a path, the command processor starts searching for the files via %PATH% as it does not find them in the current working directory.
In Windows Vista and newer, however, it is possible to remove the current working directory from the executable search path and an unprivileged user, who is in full control of %PATH%, can replace the two files with rogue ones in an arbitrary directory they add to %PATH%, which results in arbitrary code execution with escalation of privilege.
The researcher also discovered that the two setup executables also load multiple Windows system DLLs from their "application directory" in the %TEMP% folder, instead of using those in Windows' "system directory."
“An unprivileged attacker running in the same user account can copy rogue DLLs into %TEMP%; these are loaded and their DllMain() routine executed with administrative privileges, once more resulting in arbitrary code execution with escalation of privilege,” the researcher points out.
The issues were reported to Intel in May and the company updated the installer the same month, but information on the vulnerabilities was not released until last week. Intel Processor Diagnostic Tool v4.1.0.27 resolves all of the above issues.