Lenovo laptops and PCs can be hijacked by visiting a malicious website – and Dell and Toshiba machines suffer vulnerabilities, too, we're told.
If you're running the Lenovo Solution Center bundled with Lenovo gear, and you browse by an evil webpage, scripts on that page can run code with full system privileges on your computer, allowing them to install malware, spy on you, and cause other havoc. Any programs or software nasties already on your machine can exploit Lenovo Solution Center to gain admin access, and therefore full control, without you lifting a finger.
The vulnerabilities were discovered by infosec bod Slipstream – previously on these pages for discovering security holes in Dell and UK school IT admin software. The US CERT has issued an alert about the Lenovo holes, and the Chinese giant has urged people to uninstall its Solution Center as soon as possible.
"By convincing a user who has launched the Lenovo Solution Center to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with SYSTEM privileges. Additionally, a local user can execute arbitrary code with SYSTEM privileges," said CERT, which is backed by the US Department of Homeland Security.
"The CERT/CC is currently unaware of a practical solution to this problem. However, please consider the following workaround: uninstall Lenovo Solution Center to prevent exploitation of these vulnerabilities. Closing any running instance of Lenovo Solution Center also prevents exploitation."
You can fetch exploit binaries and source code, written in D, for the holes here if you want to see for yourself how terrible multimillion-dollar outfits Lenovo, Dell and Toshiba are at secure programming – bear in mind you'll be treated to a cute retro-demoscene-esque intro with audio while fetching the .zip.
Here's a round up of the bugs, according to CERT and Slipstream:
- Lenovo Solution Center creates a process called LSCTaskService that runs with full administrator rights, and fires up a web server on port 55555. It can be instructed via GET and POST HTTP requests to execute code in a directory a local user can access.
- Lenovo Solution Center will execute, again with full privileges, programs found in an arbitrary location on disk where the user can write to. Put some bad software in there, and it will be executed with admin rights.
- A classic cross-site request forgery (CSRF) vulnerability exists in the LSCTaskService process, allowing any visited webpage to pass commands to the local web server to execute with full privileges.
- Dell's bundled utility Dell System Detect can be made to gain admin privileges and execute arbitrary commands – by feeding it a security token downloaded from, er, dell.com: a token granting Dell System Detect permission to install manuals can be abused to execute programs (such as malware) with admin privileges. This can be exploited by software on your computer to fully compromise the machine.
- Toshiba's bundled Service Station tool can be abused by normal users and unprivileged software to read the majority of the operating system's registry as a SYSTEM-level user.