Hack hole turns pleb users to admin queens, kills AV to boot
Lenovo has patched a dangerous hole in its rebuilt Solution Center that could allow attackers to gain god mode access on hacked machines and to kill running processes including anti-virus.
The pre-installed OEM software helps users update Lenovo tools and manage features like firewalls.
Attackers with existing but unprivileged hacked access can gain privilege escalation to run tasks with local system rights.
Trustwave lead researcher Martin Rakhmanov quietly reported the flaws (CVE-2016-5249 – CVE-2016-5248) to Lenovo which issued a patch.
“This could be used in mounting further attacks by disabling anti-virus or some other protection mechanisms for instance,” Rakhmanov says.
“Specifically, we at Trustwave SpiderLabs’ found that the new version, even though significantly reworked, still allowed unprivileged users to elevate privileges to LocalSystem.”
Rakhmanov says that the TCP server API that loads .NET assemblies from disk does not do so from only trusted paths, as intended. Instead, it loads any .NET assembly on the same partition where the Lenovo Solution Center software is installed.
Attackers can load their malicious .NET assemblies into a privileged process, granting them easy privilege escalation.
Users should upgrade to version 3.3.003 of the Lenovo Solution Center or uninstall it to protect themselves.
Lenovo took about five weeks to fix the flaw, faster than when similar holes were reported in Solution Centre in May. ®