############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: Lenovo System Update # Vendor: Lenovo # URL: https://support.lenovo.com/us/en/product_security/ps500553-lenovo-system-update-elevation-of-privileges-vulnerability # CSNC ID: CSNC-2022-15 # CVE ID: CVE-2022-4568 # Subject: Local Privilege Escalation # Risk: High # Effect: Locally exploitable # Author: info@compass-security.com # Date: 14.10.2022 # ############################################################# Introduction ------------ Lenovo System Update automates the process of finding and installing the latest drivers, BIOS, and other applications for Lenovo devices.[1] Compass Security identified a local privilege escalation vulnerability, allowing regular users on a system with Lenovo System Update installed to escalate their privileges to local administrator. Affected -------- Vulnerable: * Lenovo System Update prior to 5.08.01 Tested versions: * Lenovo System Update 5.07.01 Not vulnerable: * Lenovo System Update 5.08.01 Tested on: * Windows 10 21H2 (OS Build 19044.2075) * Windows 10 21H2 (OS Build 19044.2130) Technical Description --------------------- The Lenovo System Update uses a .Net executable named `tvsukernel.exe`, which is run with elevated privileges during an update on a default installation. The executable is running a cleanup routine before exit. As part of this cleanup, the directory `C:\TvsuSession` is recursively deleted. In default Windows installations, regular user permissions allow creation of such a directory and placing files within the directory. Abdelhamid Naceri has demonstrated a technique, on how deletion of user writable folder contents with elevated privileges may lead to local privilege escalation. A description of the technique is found on the blog of Zero Day Initiative.[2] The exact technique used in the exploitation of the System Update vulnerability is described under "From Folder Contents Delete to SYSTEM EoP".[2] Proof of Concept ---------------- Prerequisites: The directory `C:\Config.Msi` must not exist. For testing purposes, an existing folder may be deleted using administrative permissions. In practice, the detected vulnerability may be used in combination with the before mentioned technique to delete the folder prior to the exploitation. The following exploitation example is based on the tools provided by The Zero Day Initiative.[3] 1. Set up for the privilege escalation upon deletion of the `Config.Msi` folder. `.\FolderOrFileDeleteToSystem.exe` 2. In order to redirect file deletion from `C:\TvsuSession` to `Config.Msi`, create the folder `C:\TvsuSession` as a regular user and then set up a pseudo-symlink (junction to `\RPC Control` and Object Manager symlink) `.\FolderContentsDeleteToFolderDelete.exe /target 'C:\Config.Msi' /initial 'C:\TvsuSession'` 3. Run Lenovo System Update in order to run `Tvsukernel.exe` as SYSTEM. For testing purposes, simply run `Tvsukernel.exe` as administrator. `.\ConfigService.exe start && .\TvsuCommandLauncher.exe 4` Workaround / Fix ---------------- Either ensure the `C:\TvsuSession` directory is only deleted in case it has been created with restrictive ACLs during the same session or move the directory to a location, where regular users inherently do not have write access. Timeline -------- 2022-10-10: Discovery by Compass Security 2022-10-14: Initial vendor notification 2022-10-17: Initial vendor response 2023-03-14: Release of fixed Version / Patch 2023-03-14: Coordinated public disclosure date References ---------- [1] https://support.lenovo.com/us/en/solutions/ht003029 [2] https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks [3] https://github.com/thezdi/PoC/tree/master/FilesystemEoPs