Monday, March 8, 2010

Full disclosure:
Security vulnerability in Lenovo™ Laptops
(Hotkey™ Driver and Access Connections™ v5.33) - Fix availble

Subject:
Security vulnerability in Lenovo™ Hotkey™ Driver and Access Connections™ v5.33

Impact:
A privilege escalation attack can be used as a backdoor to bypass login and run arbitrary code as a System user on Lenovo™ or Thinkpad™ laptops running Access Connection™ v5.33 and earlier versions (tracked back to version 4)


Technical details:

  • The Hotkey™ Driver is an Lenovo™ application that monitors the Lenovo™ special Hotkeys (Fn keys) and execute Lenovo™ specified applications upon their invocation.
  • The default installation of the Hotkey™ Driver is as a service and runs under NT Authority\System privileges.
  • Upon hot key detection, the Hotkey™ driver checks the registry key for the specified file to lunch and evokes that file, as example When the Fn + F5 key combination is pressed the Hotkey™ driver checks the registry key named File at HKEY_LOCAL_MACHINE\SOFTWARE\IBM\TPHOTKEY\CLASS\01\05 for its value and then launches the specified application (by default, Tp/AcFnF5.exe).
  • The Hotkey™ driver is available even prior to Windows login due to its installation configuration.
  • The value of the registry key to be lunched is not verified at invocation time.
  • This key is not monitored by the operating system and any change to this key is undetected.
  • An attacker with restricted access to the registry can use this information to launch a targeted attack on Lenovo™ or Thinkpad™ users that changes this key into an arbitrary application that runs with System permission.

Reproduce:

1. Using the target laptop change the File registry key value at HKEY_LOCAL_MACHINE\SOFTWARE\IBM\TPHOTKEY\CLASS\01\05 from 'Tp/AcFnF5.exe' to 'cmd.exe'.

2. Lock the station ('Windows' + 'L').

3. Press 'Fn'+'F5' and a windows command prompt opens with System privilege.

Mitigation:

Please update Hotkey Driver and Access connection™ to the most updated version (link here) at Lenovo™ website

1 comment: