A DLL hijacking vulnerability exists in an older version of the Intel Rapid Storage Technology (Intel RST) software that could allow malicious programs to appear as a trusted program and thus bypass antivirus engines.
DLLs, or dynamic-link libraries, are Microsoft Windows files that other programs load in order to execute various functions contained in the DLL library.
When DLL files are loaded, executables will either specify the full path to the DLL file or just specify the name.
If a full path is used, such as c:\example\example.dll, the DLL will only be loaded from the specified location. On the other hand, if just the DLL name is given, such as example.dll, the DLL will first try to load it from the folder the executable resides in, and if it can't be found, it will search other folders for the DLL and load it from there.
When a DLL is missing from the executable folder, attackers can use this search behavior to perform a DLL hijacking that causes the executable to load a malicious DLL instead.
The Intel Rapid Storage Technology vulnerability
In older versions of the Intel Rapid Storage Technology software, researchers from SafeBreach have discovered that the IAStorDataMgrSvc.exe executable will attempt to load four DLLs from the C:\Program Files\Intel\Intel(R) Rapid Storage Technology\ folder.
The DLLs that IAStorDataMgrSvc.exe attempts to load are:
The problem is that these DLLs do not exist as can be seen by the "NAME NOT FOUND" results found in the image of ProcMon below.
Remember what we said previously about searching other folders for missing DLLs?
As the DLLs do not exist in the same folder as the executable, IAStorDataMgrSvc.exe will try and load the DLL from other folders on the computer.
This allowed the researchers to create their own custom DLL that would be loaded by IAStorDataMgrSvc.exe when it starts. As the IAStorDataMgrSvc.exe file runs with SYSTEM privileges, this DLL is loaded with the same privileges and essentially has full access to the computer.
As this particular vulnerability requires administrative privileges to create the DLL, an attacker would not gain much in terms of privilege escalation.
SafeBreach researcher Peleg Hadar told BlepingComputer, though, that it could be used by an attacker to bypass antivirus scanning engines as it will be loaded by the trusted Intel application.
"An attacker can evade the antivirus by running within the context of Intel and perform malicious actions. Tested, and it works, very interesting and useful technique," Hadar told BleepingComputer in a conversation.
This vulnerability could have been avoided if the Intel software utilized the WinVerifyTrust function to verify the authenticity of the loaded DLL by checking its digital signature.
According to SafeBreach they reported this vulnerability to Intel on July 22nd, 2019 and released updated versions of the Intel Rapid Storage Technology software on December 10th that resolved this vulnerability.
If you are using versions of the Intel RST software, you should update the program to the following versions v17.5.1.x, v16.8.3.x, or v15.9.8.x or newer.
Exploit released for critical VMware auth bypass bug, patch now
Microsoft shares mitigation for Windows KrbRelayUp LPE attacks
Trend Micro fixes bug Chinese hackers exploited for espionage
CISA adds 41 vulnerabilities to list of bugs used in cyberattacks
VMware patches critical auth bypass flaw in multiple products