Intel® Audio Driver Unquoted Service Path Vulnerability

Author

Uriel Kosayev
Cybersecurity researcher and red teamer who lives both on the offensive and defensive fronts. The author of the “Antivirus Bypass Techniques” book, expert in malware research, reverse engineering, penetration testing, digital forensics, and incident response

By Uriel Kosayev (@MalFuzzer)

Introduction

Intel is a very well-known and large company that serves many personal computers and servers around the globe. An attacker can exploit this vulnerability during the post-exploitation phase to achieve privilege escalation and persistency,

by using the technique of implanting an arbitrary unsigned executable which is executed by a signed service that runs with the NT AUTHORITY\SYSTEM privileges on the victim machine.

Gain Insider Knowledge

Subscribe to updates from the TrainSec trainers

Privilege escalation

Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.

In many cases, the first point of penetration will not give attackers the level of access or access to the file system they need. They will then attempt to escalate their privileges to gain more permissions or to obtain access to additional, more sensitive systems.

Privilege escalation means an attacker gains access to privileges they are not entitled to by exploiting a privilege escalation vulnerability in a target system or application, which lets them override the limitations of the current user account.

The Vulnerability

In the Windows operating system, service is susceptible to “Unquoted Service Path” vulnerability if the executable path is not wrapped with quotation marks as can be seen below in the case of Intel’s audio driver service:

image1 4

When diving into the. The NET-based executable of the “IntelAudioService”, we can notice that it facilitates the “CreateProcessAsUserW” Windows API function through the CallProcessAsUserWrapper method to create the process as can be seen below:

image2 3

In this case, the “CreateProcessAsUserW” Windows API function receives several parameters such as the “_processToRunPath” parameter that has a value of the file name or the file’s full path, and in this case, with no quotation marks which leads to this vulnerability.

To exploit such vulnerability, gain persistency, and escalate the privileges, an attacker needs to drop a payload in a path that has a spaced name like “C:\Windows\System32\cAVS\Intel(R) {Payload} Service” that will be executed after a computer or service is restarted, either through an administrative account or by abusing a service path that has insufficient permission so that any weak user with the “W” (write) permission, for instance, can drop a malicious payload to this path without the need of an administrative account.

It’s worth mentioning that these techniques are commonly employed in various types of malware. Through malware analysis, we can scrutinize and break down malware that uses these methods. Naturally, attackers and red teamers incorporate these techniques as part of their malware development processes.

Disclosure Timeline

March 8, 2020 – Vulnerability reported to Intel PSIRT.

May 27, 2020 – Intel validated and resolved the vulnerability.

June 6, 2020 – Vulnerability reported to HackerOne per Intel PSIRT request.

June 25, 2020 – Intel PSIRT Assigned CVE: CVE-2020-12307 and offers a bounty of 1,500$.

November 10, 2020 – Vulnerability will be publicly disclosed under INTEL-SA-00409.

blue depth

About the author

Uriel Kosayev
Cybersecurity researcher and red teamer who lives both on the offensive and defensive fronts. The author of the “Antivirus Bypass Techniques” book, expert in malware research, reverse engineering, penetration testing, digital forensics, and incident response

Black Friday & Cyber Monday Sale Started!

For a limited time, enjoy 25% off ALL available courses for the next month. Whether you’re looking to sharpen your skills or explore new areas of cybersecurity, now’s the perfect time to invest in your growth.

Use code BFRIDAY24 at checkout to claim your discount.