联想在预安装软件中发现的高严重性问题 安全响应中心

admin 2019-8-25 224

译文:

Pen Test Partners的安全研究人员在备受诟病的联想解决方案中心软件中发现了一个特权升级漏洞。

联想退役的联想解决方案中心软件已经发现了另一个漏洞,该软件预装在由全球领先的计算机制造商生产的数百万台老式PC上。该漏洞是一种特权升级漏洞,可用于在目标系统上执行任意代码,从而提供对手管理员或系统级特权。

研究来自Pen Test Partners,后者发现了该漏洞(CVE-2019-6177),并表示该漏洞与其备受诟病的联想解决方案中心(LSC)软件有关。

“该错误本身就是一个DACL(自由访问控制列表)覆盖,这意味着高权限的联想进程不加区分地覆盖了低权限用户能够控制的文件的权限,”Pen Test Partners的研究人员写道。周四发布的错误的技术说明。

Lenovo发布了有关此错误的安全公告,并建议用户升级到名为Lenovo Vantage的类似实用程序。

研究人员将这个漏洞描述为黑客可以通过低权限访问PC,将“硬链接”文件写入可控制的位置。此“hardlink”文件将是一个低权限“伪文件”,可用于指向第二个特权文件。

“当联想进程运行时,它会用宽容权限覆盖硬链接文件的权限,这使得低权限用户可以完全控制他们通常不允许的文件,”研究人员写道。“如果你聪明的话,这可以用来在具有管理员或系统权限的系统上执行任意代码。”

该软件的目的是监控PC的整体运行状况。它监视电池,防火墙并检查驱动程序更新。它预装在大多数联想PC上,包括台式机和笔记本电脑,适用于企业和消费者。

有问题的版本是03.12.003,联想表示不再支持。根据联想的说法,该软件最初于2011年发布。联想称LSC自2018年11月起已“正式”指定生命终止。但是,仍有一个版本可通过联想网站下载。

联想的LSC软件一直是联想头痛的根源。2016年,研究人员发现了类似的特权升级 bug。2015年,黑客组织Slipstream / RoL演示了概念验证攻击,利用LSC错误允许恶意网页在具有系统权限的Lenovo PC上执行代码。

LSC安全漏洞是过去一年困扰联想的一长串安全漏洞中的最新漏洞。2015年2月,当研究人员发现一款名为Superfish的软件在网站上注入广告并被黑客滥用以读取加密密码和网页浏览数据时,联想被置于安全的热门席位。

去年8月,当联想被批评为自动下载联想服务引擎软件(被许多人称为不需要的臃肿软件)时,联想再次陷入热水。更糟糕的是,当用户删除软件时,Lenovo系统被配置为在未经PC所有者同意的情况下下载并重新安装程序。

原文:

Another flaw has been found in Lenovo’s decommissioned Lenovo Solution Centre software, preinstalled on millions of older-model PCs made by the world’s leading computer maker. The vulnerability is a privilege escalation flaw that can be used to execute arbitrary code on a targeted system, giving an adversary Administrator or SYSTEM-level privileges.

Research come from Pen Test Partners, who found the flaw (CVE-2019-6177) and said the vulnerability is tied to its much-maligned Lenovo Solution Center (LSC) software.

“The bug itself is a DACL (discretionary access control list) overwrite, which means that a high-privileged Lenovo process indiscriminately overwrites the privileges of a file that a low-privileged user is able to control,” wrote researchers at Pen Test Partners in a technical 

Lenovo issued a security bulletin regarding this bug and recommended users upgrade to a similar utility called Lenovo Vantage.

Researchers describe the bug as giving hackers with low-privilege access to a PC the ability to write a “hardlink” file to a controllable location. This “hardlink” file would be a low-privilege “pseudo file” that could be used to point to a second privileged file.

“When the Lenovo process runs, it overwrites the privileges of the hardlinked file with permissive privileges, which lets the low-privileged user take full control of a file they shouldn’t normally be allowed to,” researchers wrote. “This can, if you’re clever, be used to execute arbitrary code on the system with Administrator or SYSTEM privileges.”

The software’s intended purpose is to monitor the overall health of the PC. It monitors the battery, firewall and checks for driver updates. It comes pre-installed on the majority of Lenovo PCs, including desktop and laptop, for both businesses and consumers.

The problematic version is 03.12.003, which Lenovo said is no longer supported. According to Lenovo, the software was originally released in 2011. Lenovo said LSC been “officially” designated end of life since November 2018. However, a version is still available for download via the Lenovo website.

Lenovo’s LSC software has been a source of many headaches for Lenovo. In 2016, researchers found a similar escalation of privileges bug. In 2015, the hacking group Slipstream/RoL demonstrated a proof-of-concept attack that exploited a LSC bug allowed a malicious web page to execute code on Lenovo PCs with system privileges.

The LSC security flaw is the most recent in a long list of security fumbles that have plagued Lenovo over the past year. In February 2015, Lenovo was put in the security hot seat when researchers discovered a piece of software called Superfish that injected ads on websites and could be abused by hackers to read encrypted passwords and web-browsing data.

Last August, Lenovo again landed in hot water when it was criticized for automatically downloading Lenovo Service Engine software – labeled as unwanted bloatware by many. Worse, when users removed the software Lenovo systems were configured to download and reinstall the program without the PC owner’s consent.


少客联盟- 版权声明 1、本主题所有言论和图片纯属会员个人意见,与少客联盟立场无关。
2、本站所有主题由该帖子作者发表,该帖子作者admin少客联盟享有帖子相关版权。
3、少客联盟管理员和版主有权不事先通知发贴者而删除本文。
4、其他单位或个人使用、转载或引用本文时必须同时征得该帖子作者admin少客联盟的同意。
5、帖子作者须承担一切因本文发表而直接或间接导致的民事或刑事法律责任。
6、本帖部分内容转载自其它媒体,但并不代表本站赞同其观点和对其真实性负责。
7、如本帖侵犯到任何版权问题,请立即告知本站,本站将及时予与删除并致以最深的歉意。
8、官方反馈邮箱:chinasuc@chinasuc.cn


上一篇:VxWorks中的11个严重漏洞|使数百万台设备遭受黑客入侵
下一篇:DEF CON 2019:研究人员为RCE攻击Google Home
Whatever is worth doing is worth doing well. juvenile hacker league
最新回复 (0)
    • 少客联盟
      2
        登录 注册 QQ登录(停用)
返回