Technical Advisory: Intel Driver Support & Assistance – Local Privilege Escalation

Vendor: Intel
Vendor URL: http://www.intel.com/
Versions affected: Intel Driver Support Assistance prior to version 19.4.18
Systems Affected: Microsoft Windows
Author: Richard Warren <richard.warren[at]nccgroup[dot]com>
Advisory URL / CVE Identifier: CVE-2019-11114.
Risk: Medium

Summary

This vulnerability allows a low privileged user to escalate their privileges to SYSTEM.

Location

Intel Driver Support Assistance – DSAService (DSACore.dll)

Impact

Upon successful exploitation, arbitrary file read and write as SYSTEM is achieved, leading to local privilege escalation.

Details

The Intel Driver Support Assistant Software, which allows users to update their drivers and software on Intel-based machines – suffers from a number of logic based issues which result in both arbitrary file read and write as SYSTEM. This can be exploited by a low privileged local attacker to achieve local privilege escalation.
The Intel Driver Support Assistant (DSA) software service (DSAService) runs under the highly privileged SYSTEM account. The DSAService runs an HTTP REST server on a TCP port between 28380-28384 (for HTTPS) and 28385-28389 (for HTTP) in order for the web browser to communicate with the DSA service when carrying out updates. DSA also contains a component called DSATray, running as a low-privileged child process of DSAService. DSATray allows the user to change certain settings within DSA, such as the logging and downloads directory – which specify where DSA will download driver installers, or where DSAService will store its log files. In order for the low privileged DSATray process to communicate these settings to the higher privileged service, DSAService exposes a WCF service, available over a named-pipe instance. This named pipe does not require any privileges to read or write to, as shown below:

>pipelist.exe
PipeList v1.02 - Lists open named pipes
Copyright (C) 2005-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
Pipe Name Instances Max Instances
--------- --------- -------------
--SNIP--
7adb97bb-ffbe-468a-8859-6b3b63f7e418 8 -1
>accesschk.exe pipe7adb97bb-ffbe-468a-8859-6b3b63f7e418
Accesschk v6.12 - Reports effective permissions for securable objects
Copyright (C) 2006-2017 Mark Russinovich
Sysinternals - www.sysinternals.com
.Pipe7adb97bb-ffbe-468a-8859-6b3b63f7e418
RW Everyone
RW NT AUTHORITYSYSTEM
RW BUILTINAdministrators

The log folder can be reconfigured by a low privileged user, either via the DSATray GUI itself, or via the SetLogDirectory WCF method.

Under normal circumstances, the DSA log files are not writeable by a low privileged user (as shown below), however as a low privileged user can set a custom log directory, these permissions can be bypassed by modifying the log directory setting.

>accesschk.exe C:ProgramDataIntelDSA
Accesschk v6.12 - Reports effective permissions for securable objects
Copyright (C) 2006-2017 Mark Russinovich
Sysinternals - www.sysinternals.com
C:ProgramDataIntelDSAService.log
RW NT AUTHORITYSYSTEM
RW BUILTINAdministrators
R BUILTINUsers
C:ProgramDataIntelDSAService.log.bak
RW NT AUTHORITYSYSTEM
RW BUILTINAdministrators
R BUILTINUsers
C:ProgramDataIntelDSATray.log
RW NT AUTHORITYSYSTEM
RW BUILTINAdministrators
RW DESKTOP-HOHGEL9bob
R BUILTINUsers
C:ProgramDataIntelDSAUpdateService.log
RW NT AUTHORITYSYSTEM
RW BUILTINAdministrators
R BUILTINUsers

Finally, in vulnerable versions the DSAService does not impersonate the logged-on user before writing to the log file(s), nor does it check whether the log directory contains Symbolic links. If an attacker configures the log folder to a writeable directory, then they can use a symlink/mount point/hardlink to read or write arbitrary files. Combined with log poisoning this can lead to local privilege escalation.

Arbitrary file read can be achieved by creating a hard link from Detailed-System-Report.html to the file the attacker wishes to read, and then calling the “report/save” REST method on the DSAService local REST server. The content of the target file will be returned within the HTTP response.

Arbitrary file write can be achieved by creating a Symlink Chain (using James Forshaw’s CreateSymlink.exe tool), pointing the System.log file to a file of the attacker’s choice, switching the log directory and subsequently sending any arbitrary content to the DSAService local REST server. Any content sent within the POST request will be logged verbosely to the System.log file. Combined with other vectors this can result in code execution as SYSTEM.

NCC Group provided a proof of concept exploit demonstrating the above vulnerability to Intel on the 23rd of April 2019.

Intel released DSA version 19.4.18 on May 15th 2019. This updated version of the software adds a number of new checks:

  • DSACore!GenerateHtmlReport now checks whether the file is a Symbolic/Hardlink.
  • A new check is added to DSACore!IsValidDirectory which is called when the log directory is set.

Recommendation

Upgrade Intel DSA version 19.4.18, or newer.

Vendor Communication

April 23, 2019: Vulnerability disclosed to Intel
April 23, 2019: Confirmation of receipt from Intel
April 30, 2019: Intel confirm issue reproduced and that they are working on a fix
May 14, 2019: Intel releases DSA version 19.4.18, addressing the issue reported
May 14, 2019: Checked with Intel that CVE-2019-11114 definitely correlates to the LPE vulnerability reported to them.
May 14, 2019: Intel confirmed CVE-2019-11114 is the correct CVE for the issue reported.
May 15, 2019: NCC Group advisory released

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

Call us before you need us.

Our experts will help you.

Get in touch