Slipstream has found even more vulnerable bundleware on Lenovo, Dell and Toshiba computers.
Again, these vulnerabilities are serious, high level and can be triggered remotely with System level permissions.
- Lenovo...
- Lenovo Solution Center creates a process called LSCTaskService that runs with full administrator rights, and fires up a web server on port 55555. It can be instructed via GET and POST HTTP requests to execute code in a directory a local user can access.
- Lenovo Solution Center will execute, again with full privileges, programs found in an arbitrary location on disk where the user can write to. Put some bad software in there, and it will be executed with admin rights.
- A classic cross-site request forgery (CSRF) vulnerability exists in the LSCTaskService process, allowing any visited webpage to pass commands to the local web server to execute with full privileges.
- Dell's bundled utility Dell System Detect can be made to gain admin privileges and execute arbitrary commands – by feeding it a security token downloaded from, er, dell.com: a token granting Dell System Detect permission to install manuals can be abused to execute programs (such as malware) with admin privileges. This can be exploited by software on your computer to fully compromise the machine.
- Toshiba's bundled Service Station tool can be abused by normal users and unprivileged software to read the majority of the operating system's registry as a SYSTEM-level user.
Solution
The CERT/CC is currently unaware of a practical solution to this problem. However, please consider the following workaround:
Uninstall or close Lenovo Solution Center
Uninstall Lenovo Solution Center to prevent exploitation of these vulnerabilities. Closing any running instance of Lenovo Solution Center also prevents exploitation.
Thanks to Neowin for publishing these defects and solutions, and our Canadian correspondent Hankers for calling the article to my attention.