Software in the middle - Abusing legitimate Software to run arbitrary code

Product: Ashampoo Driver Update
Version: 1.3.0.0
Tested on: Windows 10 Pro 2004 x64
Vendor informed: No, because reporting vulnerabilities will be ignored
PoC: This blog post
CVE: requested


Brief Description: Ashampoo Driver Update version 1.3.0.0 can be used by a local attacker to gain privileges to execute files in an elevated context.


Ashampoo Driver Updater is a tool that let users scan the system for outdated drivers and install new drivers if needed/wanted. But there is also an interesting vulnerability which can be used by attackers to run malicious files elevated (administrative rights). I call this method "software-in-the-middle" - Let´s take a look:



As already mentioned Driver Updater scans the OS for outdated drivers and can install new drivers. To install new drivers Driver Updater has to be executed elevated. So the application always requests administrative rights in order to run:



After starting the program the user can scan the OS for outdated drivers. If an outdated driver is found Driver Update offers to update the driver:



The update process can simply be started by clicking the "Update now" button and everything else is handled by Driver Updater. What happens in the background is (I left some steps to keep it simple):

  1. Driver Updater downloads the new driver
  2. Driver Updater installs the new driver using "DPInst64.exe"

Obviously "DPInst64.exe" is the point of interest. But what is "DPInst64.exe"? It is a Driver Package Installer which was part of Windows Driver Kit (https://docs.microsoft.com/en-us/windows-hardware/drivers/download-the-wdk). Driver Updater uses "DPInst64.exe" to install drivers. But if "DPInst64.exe" was part of Windows Driver Kit it also means that this file is not included in Windows 10. Therefore Driver Updater has to copy this file to the system in order to install drivers with it. Unfortunately Driver Updater does not check if the file is really "DPInst64.exe" from the Windows Driver Kit or just a file with the same name. Let´s look at the proof of concept:

Proof of Concept

A local attacker creates a filesystemwatcher event for "*.exe" in "C:\tmp1". If a file with the extension " exe" is created the filesystemwatcher gets triggered and starts a loop to copy "C:\temp\evil.exe" to "C:\tmp1\DPInst64.exe". This can be done via a few lines of powershell (*I left something in the script to avoid copy and paste)



This has the advantage that powershell is not running all the time and nothing suspicious is shown in task manager:


Having this event hidden in the background the user starts Driver Updater and starts scanning for old drivers. When the user now updates a driver the following will happen:

  • Driver Updater creates "C:\tmp1\DPInst64.exe". This path is hardcoded
  • The event created by the attacker gets triggered and "C:\tmp1\DPInst64.exe" will be overwritten by a malicious one. The loop is used to make sure the file is copy. Maybe a little bit rough but it works ;)
  • Driver Updater downloads the driver
  • Driver Updater executes "C:\tmp1\DPInst64.exe" with elevated rights, no UAC is shown


User starts driver update process by clicking "update driver"



Update process starts



Congratulations, evil.exe was executed elevated




Conclusion: A simple attack which can be avoided by checking file integrity of "DPInst64.exe" like MD5 hash comparison, certificate check etc. Public known UAC bypass method are often monitored by AV software. Pushing a malicious file into locations which elevated applications read from isn´t new, but it is still very effective!

Popular Posts