Vulnerability Note VU#294607
Lenovo Solution Center LSCTaskService privilege escalation, directory traversal, and CSRF
The Lenovo Solution Center application contains multiple vulnerabilities that can allow an attacker to execute arbitrary code with SYSTEM privileges.
CWE-732: Incorrect Permission Assignment for Critical Resource
Launching the Lenovo Solution Center creates a process called LSCTaskService, which runs with SYSTEM privileges. This process runs an HTTP daemon on port 55555, which allows HTTP GET and POST requests to execute methods in the LSCController.dll module. This component includes a number of unsafe methods, including RunInstaller, which is designed to execute arbitrary code from the %APPDATA%\LSC\Local Store directory. This directory is created for each user that logs in to an affected system. The user can write to this directory, regardless of whether the account has administrative privileges on the system. This vulnerability can allow a standard local user to execute arbitrary code with SYSTEM privileges.
By convincing a user who has launched the Lenovo Solution Center to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with SYSTEM privileges. Additionally, a local user can execute arbitrary code with SYSTEM privileges.
Apply an update
You may also consider the following workaround:
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Lenovo||Affected||03 Dec 2015||04 Dec 2015|
CVSS Metrics (Learn More)
This vulnerability was publicly disclosed by @TheWack0lian.
This document was written by Garret Wassermann, Will Dormann, and Joel Land.
- CVE IDs: Unknown
- Date Public: 03 Dec 2015
- Date First Published: 04 Dec 2015
- Date Last Updated: 21 Dec 2015
- Document Revision: 57
If you have feedback, comments, or additional information about this vulnerability, please send us email.