In the case of vulnerabilities in OEM support utilities, computers are left wide open to attacks. Three manufacturers namely Toshiba, Dell and Lenovo, have unpatched vulnerabilities in their support services — the most ones being seen in the Solution Center of Lenovo.
The details were recently posted by a security researcher who goes by slipstream/RoL online along with OEMDrop, a proof-of-concept code.
As per CERT (Computer emergency response team), HTTP requests on Port 55555 are heard by LSCTask Service, which further has an association with LSCController.dll. It has methods that can post requests to the port and can be called with HTTP GET.
With LSCTask Service, an arbitrary code can be run in an open directory %APPDATA%\LSC\Local Store, with the help of RunInstaller, an LSCController method.
Owing to a directory traversal bug in the Solution Center, arbitrary files can be accessed on the drive having user profiles. If a malicious program is put on the hard drive’s location, wherein the software is being run, it can be run with the same privileges.
LSCTask Service has a vulnerability to an attack named CSRF or Cross-Site Request Forgery. It means that web content crafted maliciously can send commands to that service.
With the vulnerabilities mentioned above, arbitrary code can be remotely executed on the system having a malicious web page. Lenovo suggests that for dealing with these vulnerabilities, removing Service Center from the system is a good idea.
It continues with the System Detect Ability of Dell. As per the comment, arbitrary code of System Detect can be forcefully run on a system having administrator privileges. It is possible with a token that is available to download from the website of Dell.
According to this functionality, product manuals can be downloaded and installed for running other executables.
Even the vulnerability of Toshiba is severe. The Service Station tool of the company has a vulnerability to attacks, through which arbitrary registry values and keys can be created.
TMachInfo runs with system privileges and communication with the services is done with the help of XML. Those calls can be intercepted with this attack, and the response is given with text-formatted registry patch files for making changes.
Update: We came to know from Lenovo that they have already patched the vulnerabilities, and updates are available to download on the official website.
Add Comment