Executive Summary

Summary
Title Lenovo Solution Center LSCTaskService privilege escalation, directory traversal, and CSRF
Informations
Name VU#294607 First vendor Publication 2015-12-04
Vendor VU-CERT Last vendor Modification 2015-12-21
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score Not Defined Attack Range Not Defined
Cvss Impact Score Not Defined Attack Complexity Not Defined
Cvss Expoit Score Not Defined Authentication Not Defined
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#294607

Lenovo Solution Center LSCTaskService privilege escalation, directory traversal, and CSRF

Original Release date: 04 Dec 2015 | Last revised: 21 Dec 2015

Overview

The Lenovo Solution Center application contains multiple vulnerabilities that can allow an attacker to execute arbitrary code with SYSTEM privileges.

Description

CWE-732: Incorrect Permission Assignment for Critical Resource

Launching the Lenovo Solution Center creates a process called LSCTaskService, which runs with SYSTEM privileges. This process runs an HTTP daemon on port 55555, which allows HTTP GET and POST requests to execute methods in the LSCController.dll module. This component includes a number of unsafe methods, including RunInstaller, which is designed to execute arbitrary code from the %APPDATA%\LSC\Local Store directory. This directory is created for each user that logs in to an affected system. The user can write to this directory, regardless of whether the account has administrative privileges on the system. This vulnerability can allow a standard local user to execute arbitrary code with SYSTEM privileges.

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Due to a directory traversal vulnerability, Lenovo Solution Center allows an attacker to execute code that resides in an arbitrary location on the drive where user profile directories exist. If an attacker can place arbitrary code in a predictable location on a vulnerable system, this can allow for arbitrary code execution with SYSTEM privileges.

CWE-353: Cross-Site Request Forgery (CSRF)

The LSCTaskService component of Lenovo Solution Center contains a CSRF vulnerability. This vulnerability allows web content hosted by any domain to successfully execute requests using the vulnerable service. The CSRF vulnerability in Lenovo Solution Center allows a malicious or compromised web site to be able to cause code execution with SYSTEM privileges on an affected Lenovo system.

Note that all of these vulnerabilities appear to require that the user has launched the Lenovo Solution Center at least once. Simply closing the Lenovo Solution Center does appear to stop the vulnerable LSCTaskService process.

Lenovo has provided the following statement:

    "Lenovo has released two updated versions of Lenovo Solution Center for different versions of Windows operating systems that address these vulnerabilities. Additional information regarding downloading updated versions can be found on Lenovo Security Advisory: LEN-4326 located here: https://support.lenovo.com/us/en/product_security/len_4326"

Impact

By convincing a user who has launched the Lenovo Solution Center to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with SYSTEM privileges. Additionally, a local user can execute arbitrary code with SYSTEM privileges.

Solution

Apply an update
Lenovo has released updated versions of the Lenovo Solution Center to address these issues. Affected users may obtain the updates from https://support.lenovo.com/us/en/product_security/len_4326.

You may also consider the following workaround:

Uninstall Lenovo Solution Center

Uninstall Lenovo Solution Center to prevent exploitation of these vulnerabilities.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
LenovoAffected03 Dec 201504 Dec 2015
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base10.0AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal9.0E:POC/RL:U/RC:C
Environmental6.7CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • https://support.lenovo.com/us/en/product_security/len_4326
  • http://rol.im/oemdrop/

Credit

This vulnerability was publicly disclosed by @TheWack0lian.

This document was written by Garret Wassermann, Will Dormann, and Joel Land.

Other Information

  • CVE IDs:Unknown
  • Date Public:03 Dec 2015
  • Date First Published:04 Dec 2015
  • Date Last Updated:21 Dec 2015
  • Document Revision:57

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/294607

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
Date Informations
2015-12-21 21:23:07
  • Multiple Updates
2015-12-08 21:24:11
  • Multiple Updates
2015-12-05 00:23:47
  • Multiple Updates
2015-12-04 21:24:03
  • Multiple Updates
2015-12-04 17:23:39
  • First insertion