5/18/2023 0 Comments Lenovo system update app![]() This successfully denies “ConfigScheduledTask.exe” the ability to copy and overwrite the real XML file to “C:\ProgramData\Lenovo\SystemUpdate\sessionSE”.Ĭopy/overwrite fails, but “ConfigScheduledTask.exe” continues and loads the malicious schedule task XML-file. System Update shortly performs permission changes to “C:\ProgramData\Lenovo\SystemUpdate\sessionSE” allowing all users to READ/WRITE to the directory and all subdirectories and files.ĭuring this brief permission change, we overwrite “TVSUUpdateTask_Login.xml” with a malicious schedule task XML.Īfter overwriting the file, a file handle to “TVSUUpdateTask_Login.xml” is called, allowing other processes to only read the file. This application logic provided us with a path to perform privilege escalation using the following steps: These permissions only exists for few seconds before they are reverted again. Some of these executables are native for Windows and performs temporary permission changes which allow all users to read/write to the two directories: “C:\ProgramData\Lenovo\SystemUpdate\logs” and “C:\ProgramData\Lenovo\SystemUpdate\sessionSE”. Multiple high privilege executables will be spawned by the service executable upon update. The System Update applications run as a low privilege executable(user interface) and a service executable running as “NT Authority/SYSTEM”. Lenovo will disclose the vulnerability publicly September 8 2020. ![]() Lenovo Product Security Incident Response Team releases version of System Update which patches the vulnerability. Lenovo Product Security Incident Response Team confirms the vulnerability, given internal vulnerability number LEN-41150. ![]() Lenovo Product Security Incident Response Team informs that they are investigating the issue. – Lenovo Product Security Incident Response Team e-mailed with detailed description. Like in my previously disclosed vulnerabilities for Intel Driver
0 Comments
Leave a Reply. |