Blog: Vulnerability Advisory
PrivEsc in Lenovo Solution Centre, 10 minutes later
CVE-2019-6177 – Lenovo Solution Centre Privilege Escalation. Slow, but sure.
We found a privilege escalation vulnerability in the Lenovo Solution Centre (LSC) software, which came pre-installed on many Windows-based Lenovo devices.
Lenovo say LSC has been shipped since 2011, but haven’t been clear about when they stopped shipping it by default with new devices. It’s been “officially” end of life since 30th November 2018. So depending on when the bug was introduced, this could have been languishing on all Lenovo machines with LSC installed for about 8 years.
The bug itself is a DACL (discretionary access control list) overwrite, which means that a high-privileged Lenovo process indiscriminately overwrites the privileges of a file that a low-privileged user is able to control.
The high-privileged process gives all users on the system full control of that file. In this scenario, a low-privileged user can write a “hardlink” file to the controllable location – a pseudofile which really points to any other file on the system that the low-privileged user doesn’t have control of. When the Lenovo process runs, it overwrites the privileges of the hardlinked file with permissive privileges, which lets the low-privileged user take full control of a file they shouldn’t normally be allowed to. This can, if you’re clever, be used to execute arbitrary code on the system with Administrator or SYSTEM privileges.
If you’ve got LSC running on your Lenovo device – uninstall it. When we reported the issue to Lenovo, the LSC was a few months past its “end of life”.
It’s been assigned CVE-2019-6177. The Lenovo advisory is here
More detail, please?
A DACL overwrite is a simple Windows privilege escalation trick, whereby a high-privileged process overwrites the discretionary access control list (DACL) of a file that a low-privileged user controls. To make it useful, the DACL of the file should be overwritten to make the permissions less restrictive – i.e. to give write/edit access to a group the low-privileged user is in (e.g. Authenticated Users).
That’s exactly what Lenovo Solution Centre (LSC) does.
When LSC is installed, it adds a task at “\Lenovo\Lenovo Solution Center Launcher”, which runs with “highest privileges”. You can see it in the Task Scheduler below:
This task basically just runs the LSC.Services.UpdateStatusService.exe binary 10 minutes after a login event.
That binary overwrites the DACL of all files in the C:\ProgramData\Lenovo\LSC\log\ directory to give members of the Authenticated Users group full access. Everyone’s a member of Authenticated Users. So everyone gets access to those files!
To make this exploitable, you need to create a hardlink file in the C:\ProgramData\Lenovo\LSC\log\ directory, linking to the file you want to overwrite the privileges of.
You create a file with any name in the directory and hard link it to, for example, the system hosts file (only Administrators should have write access to that file):
CreateHardlink.exe “C:\ProgramData\Lenovo\LSC\log\2019-01-01.log” “C:\Windows\System32\drivers\etc\hosts”
Then you log out, log in, and 10 minutes later, the hosts file DACL will be overwritten.
To properly weaponize this you might, for instance, overwrite the DACL of a DLL which gets loaded by a process that runs as SYSTEM or at high integrity, then overwrite that DLL with some shellcode and trigger the process.
Lenovo cover their tracks?
Whilst Lenovo were responsive to my disclosure, when we reported this to them back in May, their LSC download page noted that the tool went end of life in November 2018:
But just after their disclosure went out, we noticed they had changed the end of life date to make it look like it went end of life even before the last version was released.
Their own vulnerability advisory states:
“Lenovo ended support for Lenovo Solution Center and recommended that customers migrate to Lenovo Vantage or Lenovo Diagnostics in April 2018”
…yet the last release of LSC was on 15th October 2018:
Could it be a typo, or were Lenovo trying to cover their tracks? Misleading and strange.