Lenovo System Update found two mention of the right to exploit the principle of analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201569516
Type myhack58
Reporter 佚名
Modified 2015-11-29T00:00:00


Lenovo released the latest System Update announcement in two mention the right vulnerability is me in a few weeks to submit(CVE-2 0 1 5-8 1 0 9, CVE-2 0 1 5-8 1 1 0)IOActive as well as Lenovo in this report issued a warning! Details of the bedding In the detoxification of the details before we start to point the top of the overview. Lenovo System Update with administrator privileges pop-up GUI of the application the entire process is as follows: ! 1. User run tvsu. exe or with specific parameters to run the TvsuCommandLauncher. exe to start the system update before Lenovo for IOActive found vulnerabilities have already been fixed. In the new version TvsuServiceCommon. the dll defines a set of tasks, the parameter range is 1 to 6 2. TvsuCommandLauncher. exe, usually to contact the operating system permissions of the SUService service, required for processing of the query requires higher permissions 3. SUService service with system permissions to open the UACSdk. exe and use the administrator permissions to run the GUI interface 4. UACSdk. exe detects the user is unprivileged ordinary user or is able to provide the right Vista administrator 5. According to the user permissions: (1)if it is a Vista administrative user, then there will be elevated permissions (2)If an ordinary user, UACSdk. exe create to create a random password of a temporary admin account, the application is closed after it is deleted Temporary administrator account follow tvsu_tmp_xxxxxXXXXX format, lowercase x is a randomly generated lowercase characters, the uppercase X is a randomly generated uppercase characters, generating a random password for 1 9 bytes. This is a CREATE random user example: ! 6.通过tvsukernel.exe mainly the Lenovo System Update GUI with administrator privileges to start running ! BUG 1: the Lenovo System Update help topics mention the right to The first BUG in the help system, and there are two entry points. The user by Internet Explorer to open the Online Help topic. 1 – Main application interface in the link: ! 2 – by clicking on the upper right corner of the help icon, and then click Settings: ! When run as administrator Tvsukernel. exe the main application, the browser instance to open a Help URL to inherit the parent administrator privileges. Here, a non-privileged attacker there are many ways to use the browser instance to elevate the account to Administrator or SYSTEM permissions. ! BUG 2 : Lenovo system weak password function to provide the right The BUG of the technical content is higher, the step 5b is relevant to create a temporary administrator account using this vulnerability sub_402190 function is used to create the temporary management of the original account contains the following important code fragment: ! sub_401810 function receives 3 parameters and is responsible for generating the random string format. When sub_401810 use RAND to generate a format, seed initialization is based on the increase in the current time, rand value as well as the following definitions: ! Once you have defined the good seed, the function uses the RAND circulation as well as division/multiplication of a particular value to generate a random value. Note the following figure shows the cycle ! The first function call is used to generate the administrator user name for the back of 1 0 characters(tvsu_tmp_xxxxxXXXXX) Because it is based on the rand, in fact, the algorithm is predictable. Based on accounts are created time, the attacker is likely to regenerate the same username. For the generated password(which is more important)Lenovo has a more secure method: in function sub_401BE0 within the Microsoft Crypto API(Method #1), for this method we will not be a man of God and detoxification, this is because IOActive found vulnerabilities is irrelevant. We'll see when the Method #1 failed, Method #2 How to generate a password. Returns the password to generate the associated code fragment: ! We clearly see that if sub_401BE0 function failure, the use of the RAND-based algorithm returns the flow of execution(in sub_401810 function before it is defined)to the temporary administrator account to generate a predictable password. In other words, the attacker can Method #2 to predict the password. This means that an attacker can in some cases predict a user name and password, and use it to elevate the account permissions!