System Update supports all NLS (National Language Support) language packs. The malicious schedule task executes our payload as “NT Authority/SYSTEM” giving us a successfully escalation of privilege.Ī proof-of-concept application below automates the different steps and forces System Update to load “payload.xml” into scheduled tasks.Table 1. This successfully denies “ConfigScheduledTask.exe” the ability to copy and overwrite the real XML file to “C:\ProgramData\Lenovo\SystemUpdate\sessionSE”.Ĭopy/overwrite fails, but “ConfigScheduledTask.exe” continues and loads the malicious schedule task XML-file. System Update shortly performs permission changes to “C:\ProgramData\Lenovo\SystemUpdate\sessionSE” allowing all users to READ/WRITE to the directory and all subdirectories and files.ĭuring this brief permission change, we overwrite “TVSUUpdateTask_Login.xml” with a malicious schedule task XML.Īfter overwriting the file, a file handle to “TVSUUpdateTask_Login.xml” is called, allowing other processes to only read the file. This application logic provided us with a path to perform privilege escalation using the following steps: These permissions only exists for few seconds before they are reverted again. Some of these executables are native for Windows and performs temporary permission changes which allow all users to read/write to the two directories: “C:\ProgramData\Lenovo\SystemUpdate\logs” and “C:\ProgramData\Lenovo\SystemUpdate\sessionSE”. Multiple high privilege executables will be spawned by the service executable upon update. The System Update applications run as a low privilege executable(user interface) and a service executable running as “NT Authority/SYSTEM”. Lenovo will disclose the vulnerability publicly September 8 2020. Lenovo Product Security Incident Response Team releases version of System Update which patches the vulnerability. Lenovo Product Security Incident Response Team confirms the vulnerability, given internal vulnerability number LEN-41150. Lenovo Product Security Incident Response Team informs that they are investigating the issue.
– Lenovo Product Security Incident Response Team e-mailed with detailed description. Like in my previously disclosed vulnerabilities for Intel Driver & Support Assistant and Splashtop Streamer, the process of updating software and firmware can, if not implemented securely, leave a system vulnerable for privilege escalation. The application often comes preloaded on Lenovo systems. System Update is an application for keeping drivers, firmwares and software packages up-to-date on Lenovo workstations or laptops.
0 kommentar(er)
