CVE-2021-0090: Intel Driver & Support Assistant (DSA) Elevation of Privilege...

TL;DR

Intel Driver & Support Assistant (DSA) is a driver and software update utility for Intel components. DSA version 20.8.30.6 (and likely prior) is vulnerable to a local privilege escalation reparse point bug. An unprivileged user has nominal control over configuration settings within the web-based interface.  This includes the ability to configure the folder location for downloads and data (e.g. installers and log files). An unprivileged user can change the folder location, coerce a privileged file copy operation to a “protected” directory through a reparse point, and deliver a payload such as a DLL loading technique to execute unintended code.

Of note, a similar bug in DSA (CVE-2019-11114) was previously discovered by Rich Warren of the NCC Group. This technical advisory provides an excellent overview of that bug as well as operational details of DSA.

Walkthrough

The following walkthrough represents a simple methodology for discovering and exploiting the EoP bug in an unprivileged user context:

1 – The user selects the DSA tray icon on the Windows Task Bar:

2 – The DSA interface opens in the default web browser:

3 – Selecting the Settings link (on the left) opens up the DSA Settings page. The unprivileged user has the ability to change the Folder Location (Default in this case is C:\ProgramData\Intel\DSA):

4 – Taking note of the default folder path, the DACL entries of that path reveal that the Authenticated Usersgroup has Full Control permissions over the directory:

5 – In the DSA directory, the folder structure contains the data, downloads, and logs.  The structure appears as follows:

6 – In the DSA Settings page, the unprivileged user can change the directory by selecting the Change Location button under Folder Location. This browsing dialogue box is prompted:

7 – After changing the folder directory, the folder structure and contents under the previous Folder Location are moved to the new folder by the DSA service (DSAService.exe). For demonstration, a test file (test.txt) is created within the folder directory structure at c:\test\Downloads\test.txt.  In the following screenshot, ProcMon shows the ‘move’ activity from the previous directory structure (c:\test) to the new directory structure (c:\temp) when the Folder Location is changed.  This includes the text.txt file to c:\temp\Downloads\test.txt:

8 – Of course, this sets up an interesting test case for identifying a potential reparse point logic bug. In this case, a folder junction mount point is set on the previous DSA Folder Location directory structure (c:\test\downloads) and targeted for the protected c:\windows\system32directory.  The tool used is create the folder junction is CreateMountPoint by James Forshaw of Google Project Zero.

Note: an unprivileged user could leverage other tools to create junctions such as the New-Path PowerShell cmdlet.

9 – For exploitation, a custom Dynamic Link Library (DLL) is planted in the current DSA Folder Location directory structure at c:\temp\downloads\ulapi.dll.  In this case, ualapi.dll is specifically chosen because this DLL will load at system start time (e.g. after a reboot) by the Windows Spooler service. The legitimate DLL is not present on Windows 10. 

10 – After setting up the folder junction and staging ualpi.dll, the Folder Location is changed within the DSA Settings. The action causes the DSA service to ‘move’ ualpi.dll to c:\windows\system32:

11 – After a reboot, ualapi.dll is loaded by the Print Spooler to execute a payload as NT AUTHORITY\SYSTEM. In this case, the DLL spawns cmd.exe and subsequently notepad.exe:

Exploiting this in a programmatic fashion is an exercise for the reader

Defensive Considerations

• Organizations & Home Users: Update to the latest version of Intel Driver & Support Assistant (DSA). As of the draft of this post, the latest version is 21.4.29.8.
• Vendor(s): In Microsoft’s Bug Bounty program details, Microsoft claims that “broad mitigations” will be applied to the reparse point bug class “in the future”. To date, Microsoft no longer offers Bug Bounty rewards for this class of bug. Until “broad mitigations” are applied to address this operating system wide (i.e. like Hard Links in Win10 1809?), Microsoft and 3rd party vendors will likely have to continue to address these symlink issues on an individual basis.

Conclusion

Intel was notified of this bug bug in Sept 2020 and a patch was issued in June 2021.

Thank you for taking the time to read this post.

~ bohops