INSUBCONTINENT EXCLUSIVE:
SafeBreach labs has discovered a vulnerability in Intel Rapid Storage Technology (Intel RST) that could allow malicious programs to bypass
antivirus software.Researchers from the firm discovered that in older versions of the software, the IAStorDataMGRSvc.exe executable will try
to load four DLLs (Dynamic-link libraries) from the Intel Rapid Storage Technology folder on a user's C drive.However, these DLLs do not
exist in the same folder as the program's executable which means that IAStorDataMGRSvc.exe will instead try and load these DLLs from other
folders on a user's computer.SafeBreach took advantage of this to create their own custom DLL that is loaded once IAStorDataMGRSvc.exe
Since this executable runs with system privileges, the researchers' DLL is loaded with the same privileges and thus has full access to the
computer.The vulnerability SafeBreach discovered cannot be exploited by an attacker for privilege escalation since it requires
administrative privileges to create a custom DLL in the first place.However, the vulnerability could be used by an attacker to bypass
antivirus scanning engines as the custom DLL will be loaded by the trusted Intel application.SafeBreach researcher Peleg Hadar explained to
BleepingComputer how an attacker could leverage this vulnerability, saying:"An attacker can evade the antivirus by running within the
context of Intel and perform malicious actions
Tested, and it works, very interesting and useful technique."SafeBreach first reported the vulnerability to Intel back in July and the
chipmaker has since released updated versions of its Intel Rapid Storage Technology software that patch the issue
It is recommended that users running older versions of Intel RST update their software to the latest version to prevent falling victim to
any attacks that exploit this vulnerability.Via BleepingComputer
