Security gone in 600 seconds: Make-me-admin hole found in Lenovo Windows laptop crapware

[Guest]

So... Lenovo... *sigh*

Quote

Security gone in 600 seconds: Make-me-admin hole found in Lenovo Windows laptop crapware. Delete it now

Solution Centre WONTFIX amid EOL date shenanigans

Not only has a vulnerability been found in Lenovo Solution Centre (LSC), but the laptop maker fiddled with end-of-life dates to make it seem less important – and is now telling the world it EOL'd the vulnerable monitoring software before its final version was released.

The LSC privilege-escalation vuln (CVE-2019-6177) was found by Pen Test Partners (PTP), which said it has existed in the code since it first began shipping in 2011. It was bundled with the vast majority of the Chinese manufacturer's laptops and other devices, and requires Windows to run. If you removed the app, or blew it away with a Linux install, say, you're safe right now.

"The bug itself is a DACL (discretionary access control list) overwrite, which means that a high-privileged Lenovo process indiscriminately overwrites the privileges of a file that a low-privileged user is able to control," PTP explained. "In this scenario, a low-privileged user can write a 'hardlink' file to the controllable location – a pseudofile which really points to any other file on the system that the low-privileged user doesn't have control of."

LSC runs a high-privileged scheduled task ten minutes (600 seconds) after a user logs onto the machine. The binary executed by the scheduled task overwrites the DACL of the Lenovo product's logs folder, PTP said, giving everyone in the Authenticated Users usergroup full read/write access to them. As all accounts are members of Authenticated Users, this means anyone can mess around with the logs.

 

By dropping a hardlink file into the logs folder pointing elsewhere on the target system, the LSC scheduled task can be used to escalate privileges for any file or executable. From there it's a short stretch to running arbitrary code with administrator-level privileges, and pwning the whole system in ten minutes. To be clear, to exploit this, you must already have access to the machine, either as a rogue logged-in user or with malware on the thing.

The solution? Uninstall Lenovo Solution Centre, and if you're really keen you can install Lenovo Vantage and/or Lenovo Diagnostics to retain the same branded functionality, albeit without the priv-esc part.

All straightforward. However, it went a bit awry when PTP reported the vuln to Lenovo. "We noticed they had changed the end-of-life date to make it look like it went end of life even before the last version was released," they told us.

Screenshots of the end-of-life dates – initially 30 November 2018, and then suddenly April 2018 after the bug was disclosed – can be seen on the PTP blog. The last official release of the software is dated October 2018, so Lenovo appears to have moved the EOL date back to April of that year for some reason.

"Sweeping a bug under the carpet?" mused PTP's Ken Munro to El Reg.

We have asked Lenovo why they changed the EOL date on the Lenovo Solution Centre page to make it look like they were releasing updates for a product they had already EOL'd.

"It’s often the case for applications that reach end of support that we continue to update the applications as we transition to new offerings is to ensure customers that have not transitioned, or choose not to, still have a minimal level of support, a practice that is not uncommon in the industry," was the response.

 

Source : The Register

 

So... The article is quite self-explanatory. :-S

 

Edit: Another source for the same "flaw" --> https://securityaffairs.co/wordpress/90295/hacking/lenovo-solution-centre-flaw.html

[5x5]

So I just checked my two Lenovo machines. That software isn't present. Can't even find it for download. 

[jagdtigger]

What did anyone expect? They cant even implement properly a simple thing like the bootloader unlock on their tablet and 0 response on their forum....

[Arika]

it's my belief to always reinstall a fresh windows on any new laptop you get. none of this additional crap

[Guest]

1 minute ago, Arika S said:

it's my belief to always reinstall a fresh windows on any new laptop you get. none of this additional crap

Well... It depends if it's a new Windows or if you do a factory reset.

If it's the later you'll get the same crap... WHat I usually do, on any new laptop is uninstall this crap. As much as I find it. Just in case.

[Arika]

7 minutes ago, Cora_Lie said:

Well... It depends if it's a new Windows or if you do a factory reset.

If it's the later you'll get the same crap... WHat I usually do, on any new laptop is uninstall this crap. As much as I find it. Just in case.

nope. actual fresh install

[Tsuki]

this bug is pointless. its just privilege escalation and it requires that you already have physical access, (or via remote malware)

 

if you have physical access, it only takes 60 seconds to create a new admin account from the login screen, and thats all versions of windows, regardless of manufacturer. why dick around with running programs with escalated permissions when you can just make a new admin and do whatever you want.

[Salv8 (sam)]

i was gonna do an oof joke but i think it's run to the ground rn...

[ARikozuM]

Joke's on you! Windows 10 already made me clean install two times!

[TrigrH]

11 hours ago, Arika S said:

nope. actual fresh install

I always make sure to take a copy of C:\drivers\ before I format the sucker!

[williamcll]

Another reason not to keep bloatware.

[jagdtigger]

13 hours ago, TrigrH said:

I always make sure to take a copy of C:\drivers\ before I format the sucker!

I just make an image from the whole drive with dd... Then download all the installers and extract only the driver.

Edited August 25, 2019 by jagdtigger