Stop me if you've heard this before: a vulnerability in an OEM software utility leaves systems wide open to attack. This time around, three manufacturers can tell this tale of woe. Lenovo, Dell, and Toshiba all have unpatched vulnerabilities in their various support utilities. These vulnerabilities were discovered by a security researcher who goes by Slipstream, who has posted details online (warning: obnoxious auto-play music) along with proof-of-concept code called OEMDrop.
Three OEMs. Three applications preinstalled. Three exploits. https://t.co/P4GMkNCabZ— slipstream/RoL (@TheWack0lian) December 3, 2015
Lenovo's Solution Center utility contains the most concerning vulnerabilities—three of them, in fact. According to CERT, a service called LSCTaskService listens for HTTP requests on port 55555. LSCTaskService is further associated with a file called LSCController.dll, which contains methods that can be called using HTTP GET and POST requests to its port. LSCTaskService can be made to run arbitrary code in the unprotected directory %APPDATA%\LSC\Local Store with system privileges, using a LSCController method called RunInstaller.
What's worse, Lenovo Solution Center has a directory-traversal bug that allows it to access arbitrary files on the same drive where user profiles are located. If an attacker puts a malicious program in a predictable location on the hard drive of a system running the software (the sample code launches cmd.exe, for example), that program can then be made to run with same privileges as the service—in this case, system privileges.
Finally, LSCTaskService is vulnerable to a type of attack called cross-site request forgery, or a CSRF. That means maliciously-crafted web content can issue commands to the service. Because of the other two vulnerabilities described above, an attacker could remotely execute arbitrary code on the system with a malicious web page. To mitigate these vulnerabilities, Lenovo recommends that customers remove Service Center from their systems.
The remote-code-execution fun continues with Dell's System Detect utility. According to comments in the source code posted by Slipstream, System Detect can be forced to run arbitrary code on a vulnerable system with administrator privileges, using a token downloaded from Dell's website. The attack uses the same functionality that lets System Detect download and install product manuals to run other executables, too. (Some of Dell's manuals are a bundle of HTML and graphics files packaged in .EXEs.)
Toshiba's vulnerability is no less serious. The company's Service Station tool is vulnerable to an attack that can create arbitrary registry keys and values. The TMachInfo service runs with system privileges and communicates with Toshiba's services via XML. A man-in-the-middle attack could intercept those calls and respond with text-formatted registry patch files to make any changes they want.