This kind of vulnerability is really old. However, vendors still fail to properly address this issue. This is just another example of exploiting this kind of vulnerability on Windows 10 with the most up-to-date ALFA AWUS036AC driver utility (version
1030.6). Note that the download link points to
alfa.com but the driver utility itself says it’s developed by REALTEK.
Upon installing the driver utility, two vulnerable services get installed. This can be checked using the following command:
C:\Users\ps>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Realtek DHCP Service | RTLDHCPService | C:\Program Files (x86)\REALTEK\USB Wireless LAN Utility\RTLDHCP.exe RealtekWlanU | RealtekWlanU | C:\Program Files (x86)\REALTEK\USB Wireless LAN Utility\RtlService.exe
This means, that the service paths of both services, called
Realtek DHCP Service and
RealtekWlanU, contain spaces and are not quoted using
". Therefore, they are vulnerable to this kind of attack.
A quick C++ PoC that logs the username of the user that executes a certain
.exe file looks like this:
char username[UNLEN+1]; DWORD username_len = UNLEN+1; GetUserName(username, &username_len); std::ofstream outfile; outfile.open("C:\\Users\\Public\\userlog.txt", std::ios_base::app); outfile << username << std::endl;
When executed as a regular user, the binary outputs
ps, being a regular user account.
Both service paths share the common string
C:\Program Files (x86)\REALTEK\USB Wireless LAN Utility. Note that the substring
USB Wireless LAN Utility contains spaces, which is a part of the vulnerability. Exploiting this works by placing a malicious file called
C:\Program Files (x86)\REALTEK, making the full path
C:\Program Files (x86)\REALTEK\USB.exe. Please not that this can only be performed by administrators in this case. So this will get you a privilege ecscalation from
SYSTEM ¯\(ツ)/¯. The binary supplied by an attacker will be executed as
SYSTEM upon restarting the system. This can be seen for both vulnerable services in the log file:
The string which specifies the service path needs to be quoted to prevent this, as seen in this example
While quickly testing this for multiple driver utilities by REALTEK, all tested packages seemed to be “vulnerable”.
- Common Exploits for the cmd command.