The structure appears as follows:Ħ – In the DSA Settings page, the unprivileged user can change the directory by selecting the Change Location button under Folder Location. The unprivileged user has the ability to change the Folder Location (Default in this case is C:\ProgramData\Intel\DSA):Ĥ – Taking note of the default folder path, the DACL entries of that path reveal that the Authenticated Users group has Full Control permissions over the directory:ĥ – In the DSA directory, the folder structure contains the data, downloads, and logs. The following walkthrough represents a simple methodology for discovering and exploiting the EoP bug in an unprivileged user context:ġ – The user selects the DSA tray icon on the Windows Task Bar:Ģ – The DSA interface opens in the default web browser:ģ – Selecting the Settings link (on the left) opens up the DSA Settings page. This technical advisory provides an excellent overview of that bug as well as operational details of DSA. Of note, a similar bug in DSA (CVE-2019-11114) was previously discovered by Rich Warren of the NCC Group. An unprivileged user can change the folder location, coerce a privileged file copy operation to a “protected” directory through a reparse point, and deliver a payload such as a DLL loading technique to execute unintended code. This includes the ability to configure the folder location for downloads and data (e.g. An unprivileged user has nominal control over configuration settings within the web-based interface. DSA version 20.8.30.6 (and likely prior) is vulnerable to a local privilege escalation reparse point bug. Intel Driver
0 Comments
Leave a Reply. |