By Intel has updated its Processor Diagnostic Tool to address flaws that could chance to random code implementation and increase of rights. The Intel Processor Diagnostic Tool is a part of software planned to confirm the purpose of an Intel processor. It can inspect for brand recognition and operating incidence, test precise features, and achieve a strain test on the processor.
Intel discloses that Stephan Kanthak identified the freshly stated flaws; two of which are pursued as CVE-2018-3667 and CVE-2018-3668 and marked the IPDT announces up to v4.1.0.24. Kanthak further states that he noticed a total of four flaws in the executable installers; tool of Intel, three of which would chance to random code implementation with increase of honor, and a fourth that could chance to denial of service.
The security vulnerabilities can be oppressed in typical Windows installations where a customer UAC-endangered administrator account that is formed throughout Windows setup is experienced, deprived of advancement.
“This precondition holds for the majority of Windows installations: according to Microsoft’s own security intelligence reports <https://www.microsoft.com/security/sir>, about 1/2 to 3/4 of the about 600 million Windows installations which send telemetry data have only ONE active user account,” Kanthak points out.
The problem is that the IPDT installer generates three files with inappropriate approvals, consequently exposing the door to said flaws. One problem was that the installer produced an arbitrarily titled folder in the %TEMP% directory, copied itself into it, and then accomplished the copy. Since the folder and the copy receive the NTFS access regulator list from %TEMP%, once implementation of files from that directory is deprived of, the installer would fail to accomplish.
Further problem was that the copy of the accomplishable self-extractor would function with administrative rights, however the take out payloads, the installer’s setup.exe and setup64.exe, and the batch script setup.bat are released insecure into the user’s %TEMP% directory. The copy would also alter directory to %TEMP% and implement the batch script %TEMP%\setup.bat.
“The extracted files inherit the NTFS ACLs from their parent %TEMP%, allowing ‘full access’ for the unprivileged (owning) user, who can replace/overwrite the files between their creation and execution. Since the files are executed with administrative privileges, this vulnerability results in arbitrary code execution with escalation of privilege,” the researcher notes.
Since setup.bat requests setup.exe and setup64.exe deprived of a path, the command processor begins penetrating for the archives via %PATH% as it does not identify them in the present functioning directory. But, in Windows Vista and newer, it is likely to eliminate the current functioning directory from the accomplishable search path and an unprivileged user, who is in complete regulate of %PATH%, can substitute the two files with rogue ones in an random directory they enhance to %PATH%, which outcomes in random code implementation with acceleration of opportunity. The investigator also exposed that the two setup accomplishable also load numerous Windows system DLLs from their application directory in the %TEMP% folder, in its place of practicing those in Windows’ system directory.
“An unprivileged attacker running in the same user account can copy rogue DLLs into %TEMP%; these are loaded and their DllMain() routine executed with administrative privileges, once more resulting in arbitrary code execution with escalation of privilege,” the researcher points out.
The problems were described to Intel in May and the company efficient the installer the same month, however stats on the flaws was not announced until previous week. Intel Processor Diagnostic Tool v4.1.0.27 determine entire of the above problems.
