[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[CORE-2016-0001] - Intel Driver Update Utility MiTM
- To: <fulldisclosure@xxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>
- Subject: [CORE-2016-0001] - Intel Driver Update Utility MiTM
- From: CORE Advisories Team <advisories@xxxxxxxxxxxxxxxx>
- Date: Tue, 19 Jan 2016 11:51:43 -0300
1. Advisory Information
Title: Intel Driver Update Utility MiTM
Advisory ID: CORE-2016-0001
Advisory URL:
http://www.coresecurity.com/advisories/intel-driver-update-utility-mitm
Date published: 2016-01-19
Date of last update: 2016-01-14
Vendors contacted: Intel
Release mode: Coordinated release
2. Vulnerability Information
Class: Cleartext Transmission of Sensitive Information [CWE-319]
Impact: Information leak
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2016-1493
3. Vulnerability Description
The Intel Driver Update Utility [1] is a tool that analyzes the system drivers
on your computer. The utility reports if any new drivers are available, and
provides the download files for the driver updates so you can install them
quickly and easily.
Intel [2] Driver Update Utility is prone to a Men in The Middle attack which
could result in integrity corruption of the transferred data, information leak
and consequently code execution.
4. Vulnerable Packages
Intel Driver Update Utility 2.2.0.5
Other products and versions might be affected too, but they were not tested.
5. Vendor Information, Solutions and Workarounds
Intel released a new version of Intel Driver Update Utility [3] that solves the
issue.
6. Credits
This vulnerability was discovered and researched by a member from Core Security
Research Team. The publication of this advisory was coordinated by Joaquín
Rodríguez Varela from Core Security Advisories Team.
7. Technical Description / Proof of Concept Code
7.1. Clear text Transmission of Update Information
[CVE-2016-1493] Once the application starts searching for driver updates many
HTTP requests like the one below can be seen:
GET
http://storefront.download.protexis.net/IDDAPI/Prod/productfamily/desktopboard/driver/getbyhardwaresignature/ven_8086&dev_010a/a08/190.xml
HTTP/1.1
Host: storefront.download.protexis.net
The URL path of the HTTP requests is easy to understand, the hardware ID is
part of the path. This ID can be found on the device manager. In the XML file
that is received from the server, there's a tag 'File_Url' that has the URL of
the file that is going to be downloaded and executed by the application.
<?xml version="1.0" encoding="utf-8"?>
<Drivers xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns="http://tempuri.org/GetDrivers.xsd">
<Driver>
<Driver_ID>24696</Driver_ID>
<Type>Graphics</Type>
<Status>Active</Status>
<Release_Date>2015-02-04</Release_Date>
<Version>15.28.23.64.4101</Version>
<File_Name>win64_152823.zip</File_Name>
<File_Url>http://downloadmirror.intel.com/24696/a08/win64_152823.zip</File_Url>
<HardwareSignature>VEN_8086&DEV_010A</HardwareSignature>
<IsComponent>true</IsComponent>
<Languages>
<Language>
<Language_Code>en</Language_Code>
<Driver_Name>Intel® HD Graphics Driver for Windows* 7/8/8.1
64-bit</Driver_Name>
<Driver_Details>Installs the Intel® HD Graphics Driver for Windows*
7/8/8.1 64-bit version 15.28.23.64.4101 (9.17.10.4101)</Driver_Details>
</Language>
</Languages>
<Installer_Result_Key>SOFTWARE\Intel\GFX</Installer_Result_Key>
<Installer_Version_Key>SOFTWARE\Intel\GFX</Installer_Version_Key>
<Installer_Reboot_Flag>deferred</Installer_Reboot_Flag>
<Installer_Cmd_Line>-s -overwrite</Installer_Cmd_Line>
</Driver>
</Drivers>
Once the application ends the search process, it shows the user the available
drivers updates. After downloading the drivers the user clicks on the 'Install'
button and the binaries are executed. The only verification founded was on the
VerifyDownloadURL method of the DriverManager class. This is doing a domain
verification, that can be easily bypassed if the attacker is performing an ARP
poisoning attack combined with DNS spoofing.
8. Report Timeline
2015-11-12: Core Security sent an initial notification to Intel.
2015-11-26: Core Security sent another notification to Intel asking for a reply.
2015-12-14: Core Security sent a notification to Intel's Product Manager of
their Update Utility.
2015-12-14: Intel requested Core Security for a draft copy of the advisory.
2015-12-15: Core Security asked Intel if they wanted to keep an encrypted
communication or not.
2015-12-16: Intel requested Core Security to send the draft copy of the
advisory in plain text.
2015-12-16: Core Security sent Intel a draft version of the advisory and
requested a tentative date for releasing an update/fix.
2015-12-16: Intel informed Core Security that they were evaluating the report
and that they would respond by the end of the week.
2015-12-18: Intel informed Core Security that they were testing a new version
of the utility that should mitigate the vulnerability and that it would be
available in mid-January.
2016-01-04: Core Security requested Intel the date and time they were going to
publish the new version of the product.
2016-01-05: Intel informed Core Security that they were working towards a
release on January 15.
2016-01-08: Core Security requested Intel if they were willing to consider to
change the publication date from Friday 15 to Monday 18 of January in order to
avoid the proximity to the weekend.
2016-01-08: Intel informed Core Security that they agreed on publishing on
Monday 18 of January.
2016-01-08: Intel informed Core Security that they forgot that January 18 was a
holiday in the United States, so they would be aiming to release it on Tuesday,
January 19.
2016-01-11: Core Security informed Intel that we agreed to release it on
Tuesday, January 19.
2016-01-19: Advisory CORE-2016-0001 published.
9. References
[1] https://downloadcenter.intel.com/.
[2] http://www.intel.com.
[3] http://www.intel.com/content/www/us/en/support/detect.html.
10. About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating
the future needs and requirements for information security technologies. We
conduct our research in several important areas of computer security including
system vulnerabilities, cyber attack planning and simulation, source code
auditing, and cryptography. Our results include problem formalization,
identification of vulnerabilities, novel solutions and prototypes for new
technologies. CoreLabs regularly publishes security advisories, technical
papers, project information and shared software tools for public use at:
http://corelabs.coresecurity.com.
11. About Core Security Technologies
Core Security Technologies enables organizations to get ahead of threats with
security test and measurement solutions that continuously identify and
demonstrate real-world exposures to their most critical assets. Our customers
can gain real visibility into their security standing, real validation of their
security controls, and real metrics to more effectively secure their
organizations.
Core Security's software solutions build on over a decade of trusted research
and leading-edge threat expertise from the company's Security Consulting
Services, CoreLabs and Engineering groups. Core Security Technologies can be
reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.
12. Disclaimer
The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015
CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
13. PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security advisories
team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.