Intel® Audio Driver Unquoted Service Path Vulnerability

(CVE-2020-12307)

Introduction

TRIOX Security research team led by Shay Rozen and Uriel Kosayev discovered a new privilege escalation and persistence vulnerability on some Intel(R) High Definition Audio drivers before version 9.21.00.4561

Intel is a very well known and large company that serves a big amount of personal computers and servers around the globe. This vulnerability can be exploited by an attacker during the post-exploitation phase in order to achieve privilege escalation and persistency,

by using the technique of implanting an arbitrary unsigned executable which is executed by a signed service that runs with the NT AUTHORITY\SYSTEM privileges on the victim machine.

Privilege escalation

Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.

In many cases, the first point of penetration will not give attackers the level of access or access to the file system they need. They will then attempt to escalate their privileges to gain more permissions or to obtain access to additional, more sensitive systems.

Privilege escalation means an attacker gains access to privileges they are not entitled to by exploiting a privilege escalation vulnerability in a target system or application, which lets them override the limitations of the current user account.

The Vulnerability

In Windows operating system, a service is susceptible to “Unquoted Service Path” vulnerability if the executable path is not wrapped with quotation marks as can be seen below in the case of Intel’s audio driver service:

TRIOX Security

 

When diving into the .NET based executable of the “IntelAudioService”, we can notice that it facilitates “CreateProcessAsUserW” Windows API function through the CallProcessAsUserWrapper method to create the process as can be seen below:

TRIOX Security

 

In this case, the “CreateProcessAsUserW” Windows API function receives several parameters such as the “_processToRunPath” parameter that has a value of the file name or the file’s full path, and in this case, with no quotation marks which leads to this vulnerability.

To exploit such vulnerability, gain a persistency and escalating the privileges, an attacker needs to drop a payload in a path that has a spaced-name like “C:\Windows\System32\cAVS\Intel(R) {Payload} Service” that will be executed after a computer or service is restarted, either through an administrative account, or by abusing a service path that has an insufficient permissions so that any weak user with the “W” (write) permission for instance can drop a malicious payload to this path without the need of an administrative account.

 

Disclosure Timeline

March 8, 2020 – Vulnerability reported to Intel PSIRT.

May 27, 2020 – Intel validated and resolved the vulnerability.

June 6, 2020 – Vulnerability reported to HackerOne per Intel PSIRT request.

June 25, 2020 – Intel PSIRT Assigned CVE: CVE-2020-12307 and offers a bounty of 1,500$.

November 10, 2020 – Vulnerability will be publicly disclosed under INTEL-SA-00409.

 

Contact us for more details about our advanced professional services: