The Lenovo Solution Center application contains multiple vulnerabilities that can allow an attacker to execute arbitrary code with SYSTEM privileges.
CWE-732: Incorrect Permission Assignment for Critical Resource
Launching the Lenovo Solution Center creates a process called LSCTaskService, which runs with SYSTEM privileges. This process runs an HTTP daemon on port 55555, which allows HTTP GET and POST requests to execute methods in the LSCController.dll module. This component includes a number of unsafe methods, including RunInstaller, which is designed to execute arbitrary code from the %APPDATA%\LSC\Local Store directory. This directory is created for each user that logs in to an affected system. The user can write to this directory, regardless of whether the account has administrative privileges on the system. This vulnerability can allow a standard local user to execute arbitrary code with SYSTEM privileges.
By convincing a user who has launched the Lenovo Solution Center to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with SYSTEM privileges. Additionally, a local user can execute arbitrary code with SYSTEM privileges.
Apply an update
You may also consider the following workaround:
This vulnerability was publicly disclosed by @TheWack0lian.
This document was written by Garret Wassermann, Will Dormann, and Joel Land.
|Date First Published:||2015-12-04|
|Date Last Updated:||2017-03-22 13:44 UTC|