IOActive Security Advisory



Similar documents
Securing your Virtual Datacenter. Part 1: Preventing, Mitigating Privilege Escalation

Microsoft STRIDE (six) threat categories

CERTIFIGATE. Front Door Access to Pwning hundreds of Millions of Androids. Avi Bashan. Ohad Bobrov

BYPASSING THE ios GATEKEEPER

MWR InfoSecurity Security Advisory. Symantec s Altiris Deployment Solution File Transfer Race Condition. 7 th January 2010

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Penetration Testing in Romania

MWR InfoSecurity Security Advisory. BT Home Hub SSID Script Injection Vulnerability. 10 th May Contents

Discovering passwords in the memory

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

Using Remote Desktop Clients

Running a Default Vulnerability Scan

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details


Penetration: from Application down to OS

Pension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing An Update

Exploiting Foscam IP Cameras.

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

Turning your managed Anti-Virus

Windows Remote Access

Running a Default Vulnerability Scan SAINTcorporation.com

Threat Advisory: Accellion File Transfer Appliance Vulnerability

Penetration Testing. I.T. Security Specialists. Penetration Testing 1

Enterprise Apps: Bypassing the Gatekeeper

Security Vulnerabilities and Patches Explained IT Security Bulletin for the Government of Canada

Application Security. Standard PCI. 26 novembre

MWR InfoSecurity Security Advisory. pfsense DHCP Script Injection Vulnerability. 25 th July Contents

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Security Patch Management

The Prevalence of Flash Vulnerabilities on the Web

Cloud Services Prevent Zero-day and Targeted Attacks Tom De Belie Security Engineer. [Restricted] ONLY for designated groups and individuals

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

SECURITY TRENDS & VULNERABILITIES REVIEW 2015

How To Hack A Satellite Receiver For Profit On A Pc Or Ipad (For A Pb) For A Pk (For An Ipad) For Free (For Pc) For Your Computer) For The First Time (For Your Computer Or

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office

Dell Client BIOS: Signed Firmware Update

AN OVERVIEW OF VULNERABILITY SCANNERS

HTExploit: Bypassing htaccess Restrictions

This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.

INSIDE. Management Process. Symantec Corporation TM. Best Practices Roles & Responsibilities. Vulnerabilities versus Exposures.

Thick Client Application Security

Computer Security: Principles and Practice

Specific recommendations

Securing SharePoint 101. Rob Rachwald Imperva

Penetration Testing Report Client: Business Solutions June 15 th 2015

SPEAR PHISHING UNDERSTANDING THE THREAT

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

1 Scope of Assessment

Fixing Certificate Problems Some users have recently had problems installing Silect products. The symptoms are typically an error like the following:

RACK911 Labs. Year in Review. May 6, 2014

Can Consumer AV Products Protect Against Critical Microsoft Vulnerabilities?

Patch and Vulnerability Management Program

SNI Vulnerability Assessment Report

Software that provides secure access to technology, everywhere.

Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, Concepts.

The Trivial Cisco IP Phones Compromise

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

IBM Security re-defines enterprise endpoint protection against advanced malware

Dealing with the unsupported Windows XP

Scan Report Executive Summary. Part 2. Component Compliance Summary IP Address :

How SSL-Encrypted Web Connections are Intercepted

External Penetration Assessment and Database Access Review

How To Secure An Rsa Authentication Agent

Privilege Escalation via Antivirus Software

The McAfee SECURE TM Standard

Overview. Introduction. Conclusions WINE TRIAGE. Zero day analysis. Symantec Research Labs (SRL)

CA Vulnerability Manager r8.3

MWR InfoSecurity Advisory. Interwoven Worksite ActiveX Control Remote Code Execution. 10 th March Contents

The more laws and order are made prominent, the more thieves and robbers there will be. Lao Tzu

Arcot Systems, Inc. Securing Digital Identities. FPKI-TWG Mobility Solutions Today s Speaker Tom Wu Principal Software Engineer

Enterprise Mobility Report 10/2014. Creation date: Vlastimil Turzík, Edward Plch

More on SHA-1 deprecation:

Executable Integrity Verification

THE IMPORTANCE OF CODE SIGNING TECHNICAL NOTE 02/2005

Information Security Organizations trends are becoming increasingly reliant upon information technology in

Miami University. Payment Card Data Security Policy

Mobile Device Management:

IPLocks Vulnerability Assessment: A Database Assessment Solution

Criteria for web application security check. Version


Software Vulnerability Assessment

Protecting Networks and Data with Public Key Infrastructure (PKI)

Security Research Advisory SugarCRM Cross-Site Scripting Vulnerability

Smartphone Pentest Framework v0.1. User Guide

Cloud Services Prevent Zero-day and Targeted Attacks

noway.toonux.com 09 January 2014

Security Testing. How security testing is different Types of security attacks Threat modelling

Penetration Testing - a way for improving our cyber security

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Cybersecurity and internal audit. August 15, 2014

Inspection of Encrypted HTTPS Traffic

Network Security Monitoring: Looking Beyond the Network

Vulnerability-Focused Threat Detection: Protect Against the Unknown

National Security Agency

October Application Control: The PowerBroker for Windows Difference

Tutorial on Smartphone Security

Transcription:

IOActive Security Advisory Title Severity Discovered by CVE Lenovo s System Update Uses a Predictable Security Token High Michael Milvich michael.milvich@ioactive.com Sofiane Talmat sofiane.talmat@ioactive.com CVE-2015-2219 Advisory Date April 14, 2015 Affected Product Impact Lenovo System Update (5.6.0.27 and earlier versions) This vulnerability allows local least-privileged users to run commands as the SYSTEM user. Background The Lenovo System Update allows least privileged users to perform system updates. To do this, the System Update includes the System Update service (SUService.exe). This service runs privileged as the SYSTEM user and communicates with the System Update which is running as the unprivileged user. The service creates a named pipe through which the unprivileged user can send commands to the service. When the unprivileged System Update needs to execute a program with higher privileges, it writes the command to the named pipe, and the SUService.exe reads the command and executes it. Technical Details Fixes Arbitrarily executing commands sent by a malicious unprivileged user represents a massive security risk. Lenovo does attempt to restrict access to the System Update Service by requiring clients of the named pipe to authenticate by including a security token with the command the unprivileged user wishes to execute. Unfortunately this token is a predictable token and can be generated by any user without requiring any elevated permissions. As a result, an attacker who is unprivileged can perform the same operations as the System Update. The attacker can create a valid token and include it with a command to be executed. The SUService.exe will then execute the command as the SYSTEM user. Lenovo has released an updated version, which replaces the token authentication method, and is available through the System Update. 2015 IOActive, Inc. All Rights Reserved [1]

Timeline February 2015: IOActive discovers vulnerability February 19, 2015: IOActive notifies vendor April 3, 2015: Vendor releases patch April 14, 2015: IOActive and vendor release advisory 2015 IOActive, Inc. All Rights Reserved [2]

IOActive Security Advisory Title Severity Discovered by CVE Lenovo s System Update Signature Validation Errors High Michael Milvich michael.milvich@ioactive.com Sofiane Talmat sofiane.talmat@ioactive.com CVE-2015-2233 Advisory Date April 14, 2015 Affected Products Impact Lenovo System Update (5.6.0.27 and earlier versions) Local and potentially remote attackers can bypass signature validation checks and replace trusted Lenovo applications with malicious applications. These applications will then be run as a privileged user. The System Update downloads executables from the Internet and runs them. Remote attackers who can perform a man in the middle attack (the classic coffee shop attack) can exploit this to swap Lenovo s executables with a malicious executable. The System Update uses TLS/SSL to secure its communications with the update server, which should protect against coffee shop style attacks. Background The System Update downloads executables from the Internet and runs them. As a security measure Lenovo signs its executables and checks the signature before running them, but unfortunately does not completely verify them. Technical Details Fixes When performing the signature validation, Lenovo failed to properly validate the CA (certificate authority) chain. As a result, an attacker can create a fake CA and use it to create a code-signing certificate, which can then be used to sign executables. Since the System Update failed to properly validate the CA, the System Update will accept the executables signed by the fake certificate and execute them as a privileged user. Lenovo has released an updated version, which validates the CA chain, and is available through the System Update. 2015 IOActive, Inc. All Rights Reserved [3]

Timeline February 2015: IOActive discovers vulnerability February 19, 2015: IOActive notifies vendor April 3, 2015: Vendor releases patch April 14, 2015: IOActive and vendor publish advisory 2015 IOActive, Inc. All Rights Reserved [4]

IOActive Security Advisory Title Severity Discovered by CVE Lenovo s System Update Race Condition High Michael Milvich michael.milvich@ioactive.com Sofiane Talmat sofiane.talmat@ioactive.com CVE-2015-2234 Advisory Date April 14, 2015 Affected Products Impact Lenovo System Update (5.6.0.27 and earlier versions) This vulnerability allows local unprivileged users to run commands as an administrative user. Background The System Update downloads executables from the Internet runs them. The System Update does check for a signature before running them, but does so in a directory writable by any user. Technical Details Fixes As a result of saving the executables in a writable directory, Lenovo created a race condition between verifying the signature and executing the saved executable. A local attacker could exploit this to perform a local privilege escalation by waiting for the System Update to verify the signature of the executable, and then swapping out the executable with a malicious version before the System Update is able to run the executable. When the System Update gets around to running the executable, it will run the malicious version, thinking it was the executable that it had already verified. An attacker can use this to gain elevated permissions. Lenovo has released an updated version, which changes how downloaded files are stored. It is available through the System Update. Timeline February 2015: IOActive discovers vulnerability February 19, 2015: IOActive notifies vendor 2015 IOActive, Inc. All Rights Reserved [5]

April 3, 2015: Vendor releases patch April 14, 2015: IOActive and vendor publish advisory 2015 IOActive, Inc. All Rights Reserved [6]

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information