Vulnerability Note VU#294607
Lenovo Solution Center LSCTaskService privilege escalation, directory traversal, and CSRF
Overview
The Lenovo Solution Center application contains multiple vulnerabilities that can allow an attacker to execute arbitrary code with SYSTEM privileges.
Description
CWE-732: Incorrect Permission Assignment for Critical Resource Launching the Lenovo Solution Center creates a process called LSCTaskService, which runs with SYSTEM privileges. This process runs an HTTP daemon on port 55555, which allows HTTP GET and POST requests to execute methods in the LSCController.dll module. This component includes a number of unsafe methods, including RunInstaller, which is designed to execute arbitrary code from the %APPDATA%\LSC\Local Store directory. This directory is created for each user that logs in to an affected system. The user can write to this directory, regardless of whether the account has administrative privileges on the system. This vulnerability can allow a standard local user to execute arbitrary code with SYSTEM privileges.
|
Impact
By convincing a user who has launched the Lenovo Solution Center to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with SYSTEM privileges. Additionally, a local user can execute arbitrary code with SYSTEM privileges. |
Solution
Apply an update
|
You may also consider the following workaround: |
Vendor Information (Learn More)
Vendor | Status | Date Notified | Date Updated |
---|---|---|---|
Lenovo | Affected | 03 Dec 2015 | 04 Dec 2015 |
CVSS Metrics (Learn More)
Group | Score | Vector |
---|---|---|
Base | 10.0 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Temporal | 9.0 | E:POC/RL:U/RC:C |
Environmental | 6.7 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
Credit
This vulnerability was publicly disclosed by @TheWack0lian.
This document was written by Garret Wassermann, Will Dormann, and Joel Land.
Other Information
- CVE IDs: Unknown
- Date Public: 03 Dec 2015
- Date First Published: 04 Dec 2015
- Date Last Updated: 22 Mar 2017
- Document Revision: 60
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.