{"id":211976,"date":"2018-11-21T16:57:50","date_gmt":"2018-11-21T15:57:50","guid":{"rendered":"https:\/\/www.borncity.com\/blog\/?p=211976"},"modified":"2023-07-12T14:21:11","modified_gmt":"2023-07-12T12:21:11","slug":"sicherheitslcken-in-intels-rapid-storage-technology","status":"publish","type":"post","link":"https:\/\/borncity.com\/blog\/2018\/11\/21\/sicherheitslcken-in-intels-rapid-storage-technology\/","title":{"rendered":"Sicherheitsl&uuml;cken in Intels Rapid Storage Technology"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"https:\/\/borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\"\/>In Intels Intels Rapid Storage Technology (Intel\u00ae RST) gibt es im Installer sowie im Treiber\/User-Interface-Paket diverse Schwachstellen. Hier eine kurze \u00dcbersicht, was man als Nutzer dieses Pakets unter Windows 7, Windows 8.1 und Windows 10 dazu wissen sollte.<\/p>\n<p><!--more--><\/p>\n<h2>CVE-2018-3635 im Installer<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg08.met.vgwort.de\/na\/1fc5e6e1f3b54b408c6e19c052c185db\" width=\"1\" height=\"1\"\/>Stefan Kanthak hat auf seclist.org <a href=\"https:\/\/seclists.org\/fulldisclosure\/2018\/Nov\/45\" target=\"_blank\" rel=\"noopener noreferrer\">hier<\/a> eine Schwachstelle im Installer der Intel\u00ae RST-Software gemeldet. Es geht um den Installer f\u00fcr 'Intel\u00ae Rapid Storage Technology (Intel\u00ae RST) User Interface and Driver' Version 15.9.0.1015 f\u00fcr Windows 7, ver\u00f6ffentlicht am 14. November 2017. Dieser wird auf <a href=\"https:\/\/web.archive.org\/web\/20190420042052\/https:\/\/downloadmirror.intel.com\/27400\/eng\/SetupRST.exe\" target=\"_blank\" rel=\"noopener noreferrer\">dieser Webseite<\/a> zum Download angeboten (siehe diese Intel-Seite). In der Beschreibung hei\u00dft es:<\/p>\n<blockquote>\n<p>Vulnerability #1:<br \/>=================<\/p>\n<p>Although running with ELEVATED (administrative) privileges<br \/>(the \"application manifest\" embedded in SetupRST.exe specifies<br \/>\"requireAdministrator\"), on STANDARD installations of Windows,<br \/>i.e. where the user account created during Windows setup is used,<br \/>the executable installer creates an UNPROTECTED subdirectory<br \/>IIF&lt;abcd&gt;.tmp in the user's %TEMP% directory.<\/p>\n<p>For this well-known and well-documented vulnerability see<br \/>&lt;<a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/377.html\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/cwe.mitre.org\/data\/definitions\/377.html<\/a>&gt; and<br \/>&lt;<a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/379.html\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/cwe.mitre.org\/data\/definitions\/379.html<\/a>&gt; plus<br \/>&lt;<a href=\"https:\/\/capec.mitre.org\/data\/definitions\/29.html\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/capec.mitre.org\/data\/definitions\/29.html<\/a>&gt;<\/p>\n<p>The subdirectory IIF&lt;abcd&gt;.tmp inherits the NTFS ACLs from its<br \/>parent %TEMP%, allowing \"full access\" for the unprivileged<br \/>(owning) user, who can replace\/overwrite the DLLs<\/p>\n<p>&nbsp;&nbsp;&nbsp; %TEMP%\\IIF&lt;abcd&gt;.tmp\\Resource.dll<br \/>&nbsp;&nbsp;&nbsp; %TEMP%\\IIF&lt;abcd&gt;.tmp\\??-??\\IntelCommon.dll<\/p>\n<p>later loaded and executed by the installer between their creation<br \/>and use. Since these DLLs are executed with administrative privileges, this<br \/>vulnerability results in arbitrary code execution WITH escalation<br \/>of privilege.<\/p>\n<p>NOTE: the precondition \"user account created during Windows setup\"<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; is met on typical installations of Windows: according to<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Microsoft's own security intelligence reports, about 1\/2 to<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 3\/4 of the about 600 million Windows installations which send<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; telemetry data have only ONE active user account.<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;https:\/\/www.microsoft.com\/security\/sir&gt;<\/p>\n<\/blockquote>\n<p>Weitere Details sind dem Eintrag auf seclist.org zu entnehmen. Im <a href=\"https:\/\/seclists.org\/fulldisclosure\/2018\/Nov\/45\" target=\"_blank\" rel=\"noopener noreferrer\">seclists.org-Beitrag<\/a> wird n\u00e4mlich noch eine zweite Schwachstelle (Denial of Service) beschrieben. Intel hat dazu am 13. November 2018 das Intel\u00ae Rapid Store Technology Installer Advisory <a href=\"https:\/\/web.archive.org\/web\/20220519114237\/https:\/\/www.intel.com\/content\/www\/us\/en\/security-center\/advisory\/intel-sa-00153.html\" target=\"_blank\" rel=\"noopener noreferrer\">INTEL-SA-00153<\/a> ver\u00f6ffentlicht. <\/p>\n<blockquote>\n<p>A potential security vulnerability in Intel\u00ae Rapid Store Technology (RST) installer may allow an unprivileged user to potentially elevate privileges or cause an installer denial of service.<b> <\/b>Intel is releasing Intel\u00ae RST installer updates to mitigate this potential vulnerability.<\/p>\n<\/blockquote>\n<p>Intel schreibt, dass alle Intel\u00ae RST-Installer vor der Version 16.7 betroffen seien und bietet eine <a href=\"https:\/\/web.archive.org\/web\/20210620094842\/https:\/\/downloadcenter.intel.com\/product\/55005\/Intel-Rapid-Storage-Technology-Intel-RST\" target=\"_blank\" rel=\"noopener noreferrer\">aktualisierte Fassung im Download-Center<\/a> an.<\/p>\n<h2>Schwachstelle im Intel RST-User Interface<\/h2>\n<p>Weiterhin gibt es im Intel Rapid Storage (Intel\u00ae RST) User Interface eine Escalation of privilege-Schwachstelle. Diese wurde ebenfalls von Stefan Kanthak entdeckt und auf seclists.org in <a href=\"https:\/\/seclists.org\/fulldisclosure\/2018\/Nov\/52\" target=\"_blank\" rel=\"noopener noreferrer\">diesem Post<\/a> beschrieben. Die Schwachstelle bezieht sich auf das Paket Intel\u00ae Rapid Storage Technology (Intel\u00ae RST) User Interface and Driver<br \/>f\u00fcr Windows 10 und Windows Server 2016. <\/p>\n<ul>\n<li>Betroffen ist die Version 16.0.2.1086 (aktuellste), die am 21. Februar 2018 freigegeben wurden und <a href=\"https:\/\/web.archive.org\/web\/20180709182848\/https:\/\/downloadcenter.intel.com\/download\/27681\/Intel-Rapid-Storage-Technology-Intel-RST-User-Interface-and-Driver\" target=\"_blank\" rel=\"noopener noreferrer\">hier<\/a> heruntergeladen werden kann.  <\/li>\n<li>Betroffen ist auch die Vorg\u00e4ngerversion 15.9.0.1015 vom 14. Nov. 2017 (<a href=\"https:\/\/web.archive.org\/web\/20190420041949\/https:\/\/downloadcenter.intel.com\/download\/27400\/Intel-Rapid-Storage-Technology-Intel-RST-User-Interface-and-Driver\" target=\"_blank\" rel=\"noopener noreferrer\">Download<\/a>). Das ist die aktuelle Version, die Windows 7 und Windows 8.1 noch unterst\u00fctzt. <\/li>\n<\/ul>\n<p>Diese Software-Versionen erm\u00f6glichen eine Arbitrary Code Execution mit Escalation<br \/>of Privilege \u00fcber das RST User Interface Program <em>IAStorUI.exe<\/em>. Das Problem beschreibt Kanthak folgenderma\u00dfen:<\/p>\n<blockquote>\n<p>IAStorUI.exe depends on .NET Framework 4.x; its embedded \"application<br \/>manifest\" specifies \"requireAdministrator\", so Windows requests<br \/>elevation: \"protected\" administrators are prompted for consent,<br \/>unprivileged standard users are prompted for an administrator password.<\/p>\n<p>All versions of .NET Framework support to load a COM object as code<br \/>profiler, enabled via two or three environment variables, thus allowing<br \/>arbitrary code execution WITH elevation of privilege through IAStorUI.exe!<\/p>\n<\/blockquote>\n<p>Intel stuft diese Schwachstelle mit dem Indexwert 7.5 als hoch ein. Details sind <a href=\"https:\/\/seclists.org\/fulldisclosure\/2018\/Nov\/52\" target=\"_blank\" rel=\"noopener noreferrer\">diesem seclist.org-Beitrag<\/a> zu entnehmen. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>In Intels Intels Rapid Storage Technology (Intel\u00ae RST) gibt es im Installer sowie im Treiber\/User-Interface-Paket diverse Schwachstellen. Hier eine kurze \u00dcbersicht, was man als Nutzer dieses Pakets unter Windows 7, Windows 8.1 und Windows 10 dazu wissen sollte.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[426,3694],"tags":[1080,4328,4378,4294],"class_list":["post-211976","post","type-post","status-publish","format-standard","hentry","category-sicherheit","category-windows-10","tag-intel","tag-sicherheit","tag-windows-10","tag-windows-7"],"_links":{"self":[{"href":"https:\/\/borncity.com\/blog\/wp-json\/wp\/v2\/posts\/211976","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/blog\/wp-json\/wp\/v2\/comments?post=211976"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/blog\/wp-json\/wp\/v2\/posts\/211976\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/blog\/wp-json\/wp\/v2\/media?parent=211976"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/blog\/wp-json\/wp\/v2\/categories?post=211976"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/blog\/wp-json\/wp\/v2\/tags?post=211976"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}