Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Intel Patches Security Flaws in Processor Diagnostic Tool

Intel has updated its Processor Diagnostic Tool to address vulnerabilities that could lead to arbitrary code execution and escalation of privileges.

Intel has updated its Processor Diagnostic Tool to address vulnerabilities that could lead to arbitrary code execution and escalation of privileges.

The Intel Processor Diagnostic Tool (IPDT) is a piece of software designed to verify the functionality of an Intel processor. It can check for brand identification and operating frequency, test specific features, and perform a stress test on the processor.

The recently addressed vulnerabilities (two of which are tracked as CVE-2018-3667 and CVE-2018-3668) were found by Stephan Kanthak and affect the IPDT releases up to v4.1.0.24, Intel reveals.

Kanthak says he found a total of four vulnerabilities in the executable installers of Intel’s tool, three of which would lead to arbitrary code execution with escalation of privilege, and a fourth that could lead to denial of service.

The security flaws can be exploited in standard Windows installations where a user UAC-protected administrator account that is created during Windows setup is used, without elevation.

“This precondition holds for the majority of Windows installations: according to Microsoft’s own security intelligence reports <https://www.microsoft.com/security/sir>, about 1/2 to 3/4 of the about 600 million Windows installations which send telemetry data have only ONE active user account,” Kanthak points out.

The issue is that the IPDT installer creates three files with improper permissions, thus opening the door to said vulnerabilities.

One issue was that the installer created a randomly named folder in the %TEMP% directory, copied itself into it, and then executed the copy. Because the folder and the copy inherit the NTFS access control list from %TEMP%, once execution of files from that directory is denied, the installer would fail to execute.

Advertisement. Scroll to continue reading.

An
other issue was that the copy of the executable self-extractor would run with administrative privileges, but the extracted payloads (the installers setup.exe and setup64.exe, and the batch script setup.bat) are dropped unprotected into the user’s
%TEMP% directory. The copy would also change directory to %TEMP% and execute the batch script %TEMP%setup.bat.

“The extracted files inherit the NTFS ACLs from their parent %TEMP%, allowing ‘full access’ for the unprivileged (owning) user, who can replace/overwrite the files between their creation and execution. Since the files are executed with administrative privileges, this vulnerability results in arbitrary code execution with escalation of privilege,” the researcher notes.

Because setup.bat calls setup.exe and setup64.exe without a path, the command processor starts searching for the files via %PATH% as it does not find them in the current working directory.

In Windows Vista and newer, however, it is possible to remove the current working directory from the executable search path and an unprivileged user, who is in full control of %PATH%, can replace the two files with rogue ones in an arbitrary directory they add to %PATH%, which results in arbitrary code execution with escalation of privilege.

The researcher also discovered that the two setup executables also load multiple Windows system DLLs from their “application directory” in the %TEMP% folder, instead of using those in Windows’ “system directory.”

“An unprivileged attacker running in the same user account can copy rogue DLLs into %TEMP%; these are loaded and their DllMain() routine executed with administrative privileges, once more resulting in arbitrary code execution with escalation of privilege,” the researcher points out.

The issues were reported to Intel in May and the company updated the installer the same month, but information on the vulnerabilities was not released until last week. Intel Processor Diagnostic Tool v4.1.0.27 resolves all of the above issues.

Related: Meltdown-Like ‘LazyFP’ Vulnerability Impacts Intel CPUs

Related: Misinterpretation of Intel Docs Leads to Flaw in Hypervisors, OSs

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights