Analysis of Two Elevation of Privilege vulnerabilities found in Lenovo system updates

Analysis of Two Elevation of Privilege vulnerabilities found in Lenovo system updates

Two Elevation of Privilege vulnerabilities in Lenovo's latest system update announcement were I submitted several weeks ago (CVE-2015-8109, CVE-2015-8110) IOActive and Lenovo issued a warning in this report!

Details

Before the detoxification details, let's take a look at the overview above. The whole process for the Lenovo system to update the GUI application with the Administrator permission is as follows:

 

1.The user runs tvsu.exe.exe and runs tvsucommandlauncher.exe to start system updates. Before that, Lenovo fixed the IOActive vulnerability. In the new version of TvsuServiceCommon. dll, a group of tasks are defined. The parameter range is 1 ~ 6

2.TvsuCommandLauncher.exe, usually contact the SUService service that runs the system permission. Higher permissions are required to process the required query.

3.after the suserviceservice, enable uacsdk.exe with the system permission and run the GUI interface with the Administrator permission.

4.UACSdk.exe checks whether a user is an unauthorized common user or a Vista administrator who can escalate permissions.

5. Based on User Permissions:

(1) If you manage users for Vista, the permissions will be elevated.

(2) If uacsdk.exe creates a temporary administrator account with a random password for an ordinary user, it will be deleted after the application is closed.

The temporary administrator account follows the tvsu_tmp_xxxxxXXXXX format. lowercase x is a randomly generated lowercase character, uppercase X is a randomly generated uppercase character, and the generated random password is 19 bytes.

This is an example of creating a random User:

 

6.through tvsukernel.exe, the main Lenovo system updates the GUI and runs as administrator.

 

BUG 1: Lenovo system updates help topic Elevation of Privilege

The first BUG is in the Help system, and there are two entry points. You can use Internet Explorer to Open Online Help topics.

1-links in the main application interface:

 

2-click the help icon in the upper-right corner and then click Settings:

 

Run the main tvsukernel.exe application as the administrator ID. Open a Help URL in the browser instance to inherit the permissions of the parent administrator.

Here, an unprivileged attacker has many ways to use browser instances to escalate accounts to Administrator or SYSTEM permissions.

 

BUG 2: Lenovo system weak password function elevation

This BUG is more technical. Use this vulnerability to create a temporary administrator account in step 5b.

The sub_402190 function is used to create temporary management for the original account. It contains the following important code snippets:

 

The sub_401810 function receives three parameters and generates the random string format.

When sub_401810 uses RAND to generate a format, seed Initialization is based on adding the current time, rand value, and the following definitions:

 

Once seed is defined, the function uses the RAND loop and the specific division/multiplication values to generate a random value.

Note the cycle shown

 

The first function call is used to generate 10 characters (tvsu_tmp_xxxxxXXXXX) after the administrator user name)

The algorithm is predictable because it is based on rand. Based on the Account creation time, attackers may generate the same user name again.

For the generated password (which is more important), Lenovo has a safer Method: Microsoft Crypto API (method #1) in the sub_401BE0 function. We will not detoxify this Method, this is because the vulnerability discovered by IOActive has nothing to do with it. We should look at how Method #2 generates a password when Method #1 fails.

Return the code snippet related to password generation:

 

We can clearly see that if the sub_401BE0 function fails, use the RAND-based algorithm to return the execution process (defined before the sub_401810 function) and generate a predictable password for the temporary administrator account. In other words, attackers can use Method #2 to predict passwords.

This means that attackers can predict user names and passwords in some cases and use them to escalate account permissions!