If you have a look into the great resource Windows Internals (Windows Internals Part 1 7th Edition) you will see, that Windows uses the mechanism of Mandatory Integrity Control (MIC) based on Integrity Levels to protect processes an objects among each other against unauthorized access. In the following table from the Windows Internals you can see a list of the used Integrity Levels under Windows 10.
Because of that, if an unprivileged user (medium integrity) logs on to Windows, there is an kernel object created which is called an access token. This token includes your identity and the current privileges of the user. From the red team perspective this means, also if I was able to compromise an unprivileged user account (medium integrity), still I am not allowed to access processes and objects which need to high integrity to access the the space of the process. A little more precise, in case of processes it is not possible to inject or attach to the address memory of process which manage high integrity threats, from a process which manage medium integrity threats. Otherwise, would that be possible we would have a great problem from the security perspective.
Local Privilege Escalation: Insecure GUI
But also if you are not allowed as a medium integrity user to directly access the address memory from a high integrity process for example by process injection, there are still scenarios which gives you a possibility to abuse the high integrity process to escalate your local privileges. For example, in my case by finding the vulnerability CVE-2022-0354 or LEN-76673 in context of the Lenovo Commercial Vantage Tool and how the tool does execute Intel Management Engine software update packages (and other packages). At New Year’s Eve 2021 I have logged in to my Lenovo (as usual as unprivileged user (medium integrity)) and started the Lenovo Commercial Vantage tool in the same context (medium integrity). I got the suggestion for the Intel ME Software update Intel Management Engine Firmware 184.108.40.20687 and started the installation. Afterwards, the Intel ME update was initialized immediately, but compared to other updates that I have executed via the Lenovo Commercial Vantag tool, it seemed strange to me that a Windows command shell window opened during the update. It was not possible to execute directly a command via command line, but I was curious and examined via process explorer with which integrity level the opened update window is executed. As suspected and hoped (from research perspective to get my first CVE 😅), the corresponding process cmd.exe was executed in system integrity level. Despite the fact, that no direct command can be executed in the command prompt window, there is still a way (insecure GUI) to use the privileged process cmd.exe (system integrity) to escalate from an unprivileged user (medium integrity) to system privileges. We just simply use the command prompt window context menu from the privileged cmd.exe process to escalate from medium integrity level to system integrity. In case of CVE-2022-0354, have a look at the video below.
After consultation with Lenovo, the flaw is in the legacy packaging process for system udpates. To resolve the problem, the Lenovo PSRIT fixed the packaging process for packages which are released after 2022-02-25. At this moment I am not really sure, if Lenovo did fix also the affected legacy packages or only fixed it for packages which are released after 2022-02-25. The last test where I was able to escalate to system privileges was done at 2022-04-10 with the Intel Thunderbold Driver-10  update package (video below). To be fair, the Intel Thunderbold Driver-10  package was identified just a few days ago, with beginning of April 2022. Until yet, the following packages are known and affected, and let escalate your unprivileged user (Medium Integrity) to system privileges (System Integrity).
- Intel ME Software update Intel Management Engine Firmware 220.127.116.1187 (Found by Infosec Tirol)
- Intel Thunderbolt Driver – 10  – 18.104.22.1680 (Found by Infosec Tirol)
- Flash BIOS Update – Intel B150 (Found by Lenovo PSIRT)
Also the „Bundesamt für Sicherheit in der Informationstechnik“ has published a technical safety note with the second highest risk level (risk level 4).
Finally, I would like to thank Lenovo and the responsible employee Blake for the good cooperation. More information about the vulnerability on the Lenovo Website.