Security gone in 600 seconds: Make-me-admin hole found in Lenovo Windows laptop crapware. Delete it now
Not solely incorporates a vulnerability been found in Lenovo answer Centre (LSC), however the portable computer maker fiddled with end-of-life dates to create it appear shorter – and is currently telling the planet it EOL’d the vulnerable observance software system before its final version was discharged.
The LSC privilege-escalation vuln (CVE-2019-6177) was found by Pen Test Partners (PTP), which said it has existed in the code since it first began shipping in 2011. It was bundled with the overwhelming majority of the Chinese manufacturer’s laptops and different devices, and needs Windows to run. If you removed the app, or blew it away with a UNIX install, say, you’re safe right now.
“The bug itself may be a DACL (discretionary access management list) write, which suggests that a high-privileged Lenovo method indiscriminately overwrites the privileges of a file that a low-privileged user is able to control,” PTP explained. “In this situation, a low-privileged user will write a ‘hardlink’ file to the governable location – a pseudofile that very points to the other file on the system that the low-privileged user doesn’t have control of.”
LSC runs a high-privileged scheduled task 10 minutes (600 seconds) once a user logs onto the machine. The binary executed by the scheduled task overwrites the DACL of the Lenovo product’s logs folder, PTP said, giving everyone in the Authenticated Users usergroup full read/write access to them. As all accounts square measure members of attested Users, this suggests anyone will manipulate with the logs.
By dropping a hardlink file into the logs folder pointing elsewhere on the target system, the LSC scheduled task can be used to escalate privileges for any file or executable. From there it’s a brief stretch to running arbitrary code with administrator-level privileges, and pwning the complete system in 10 minutes. To be clear, to take advantage of this, you must already have access to the machine, either as a rogue logged-in user or with malware on the thing.
The solution? Uninstall Lenovo Solution Centre, and if you’re really keen you can install Lenovo Vantage and/or Lenovo Diagnostics to retain the same branded functionality, albeit without the priv-esc part.
All straightforward. However, it went a touch awry once PTP reported the vuln to Lenovo. “We noticed that they had modified the finish-of-life date to create it seem like it went end of life even before the last version was discharged,” they told us.
Screenshots of the end-of-life dates – at the start thirty November 2018, and so suddenly Gregorian calendar month 2018 once the bug was disclosed – may be seen on the PTP diary. The last official unharness of the software system is dated October 2018, so Lenovo appears to have moved the EOL date back to April of that year for some reason.
“Sweeping a bug under the carpet?” mused PTP’s Ken Munro to El Reg.
We have asked Lenovo why they modified the EOL date on the Lenovo answer Centre page to create it seem like they were emotional updates for a product that they had already EOL’d.
“It’s usually the case for applications that reach finish of support that we tend to still update the applications as we tend to transition to new offerings is to confirm customers that have not transitioned, or opt for to not, still have a borderline level of support, a apply that’s not uncommon within the business,” was the response.