Lenovo slings privilege patches at in-built tools

Temp account means God mode for regular users.

IOActive security bod Sofiane Talmat has found two since-patched privilege escalation vulnerabilities in Lenovo System Update utility.

The tool keeps drivers and BIOS up to date.

Talmat found the tool's help function contains a vulnerability (CVE-2015-8109) that can allow regular users to gain administrative access.

"Since the main application Tvsukernel.exe is running as Administrator, the web browser instance that starts to open a help URL inherits the parent administrator privileges," Talmat says.

"From there, an unprivileged attacker has many ways to exploit the web browser instance running under administrator privileges to elevate his or her own privileges to administrator or SYSTEM."

A second flaw (CVE-2015-8110)relates to weak cryptography allowing the tool's temporary administrative account to be determined and used again to elevate privileges.

"The first call to this function is used to generate the 10-letter suffix for the Administrator username that will be created as “tvsu_tmp_xxxxxXXXXX ...s ince it is based on rand, the algorithm is actually predictable," Talmat says.

"This means an attacker could under certain circumstances predict both the username and password and use them to elevate his or her privileges to administrator on the machine."

Talmat has published two advisories [PDF] [PDF] detailing the vulnerabilities. ®


Biting the hand that feeds IT © 1998–2017