Security flaws pile up in support applications installed by PC manufacturers
The number of vulnerabilities discovered
in technical support applications installed
on PCs by manufacturers keeps piling up.
New exploits have been published for flaws
in Lenovo Solution Centre, Toshiba Service
Station and Dell System Detect.
The flaws were discovered by a hacker
who uses the online aliases slipstream and
RoL, and who released a proof-of-concept
exploit for them. This prompted the CERT
Coordination Center at Carnegie Mellon
University to publish a security advisory.
One of the issues is caused by the
LSCTaskService, which is created by the
Lenovo Solution Centre and runs with
SYSTEM privileges. This service opens
an HTTP daemon on port 55555 that
can receive commands. One of those
commands is called RunInstaller and
executes files placed in the %APPDATA%\
LSC\Local Store folder.
Any local user can write to this directory,
regardless of their privilege, but the files
are executed as the SYSTEM account. This
means that a restricted user can exploit the
logic flaw to gain full system access
Furthermore, there is a directory traversal
flaw that can be exploited to trick the
Lenovo Solution Centre to execute code
from arbitrary locations, so an attacker
doesn’t even need to place files in the
aforementioned Local Store folder.
Finally, the LSCTaskService is vulnerable
to cross-site request forgery (CSRF), an
attack method through which a malicious
website can relay rogue requests through
the user’s browser. This means that, in order
to exploit the previous two flaws, an attacker
doesn’t even need to have local access to the
system where the Lenovo Solution Centre is
installed and can simply trick the user to visit
a specially crafted web page.
In a security advisory on its website,
Lenovo said it is currently investigating the
vulnerability report and will provide a fix as
soon as possible. Until then, concerned users
can uninstall the Lenovo Solution Centre in
order to mitigate the risk, the company said
Slipstream also published proof-ofconcept
exploits for two other, lower-impact,
vulnerabilities – one in the Toshiba Service
Station (TST) and another in Dell System
Detect (DSD), a tool that users are prompted
to install when they click the Detect Product
button on Dell’s support website.
The TST app creates a service called
TMachInfo that runs as SYSTEM and receives
commands via UDP port 1233 on the local
host. One of those commands is called Reg.
Read and can be used to read most of the
Windows Registry with system privileges.
The flaw in DSD stems from the way Dell
attempted to fix a previous vulnerability.
According to slipstream, Dell implemented
RSA-1024 signatures to authenticate
commands, but put them in a place on its
website where attackers can obtain them.
These can be used as a crude bypass method
for Windows’ User Account Control (UAC).
This is not the first time vulnerabilities
have been found in support tools installed
on Lenovo or Dell computers
No comments:
Post a Comment