Researchers at Pen Test Partners (PTP) discovered a privilege-escalation vulnerability in Lenovo Solution Centre (LSC) tracked as CVE-2019-6177.

Security experts at Pen Test Partners (PTP) discovered a privilege-escalation vulnerability in Lenovo Solution Centre (LSC) that exists since 2011.

“A vulnerability reported in Lenovo Solution Center version 03.12.003, which is no longer supported, could allow log files to be written to non-standard locations, potentially leading to privilege escalation.” read the security advisory published by Lenovo. “Lenovo ended support for Lenovo Solution Center and recommended that customers migrate to Lenovo Vantage or Lenovo Diagnostics in April 2018.”

The vulnerability tracked as CVE-2019-6177 could be exploited by attackers to escalate privileges.

The company attempted to downplay the severity of the issue highlighting that the product is no longer supported, even if most of the laptops running of the Chinese vendor, Windows OS, are shipped with the flawed software.

“We found a privilege escalation vulnerability in the Lenovo Solution Centre (LSC) software, which came pre-installed on many Windows-based Lenovo devices.” states the post published by Pen Test Partners.

“The bug itself is a DACL (discretionary access control list) overwrite, which means that a high-privileged Lenovo process indiscriminately overwrites the privileges of a file that a low-privileged user is able to control. In this scenario, a low-privileged user can write a ‘ hardlink ‘ file to the controllable location – a pseudofile which really points to any other file on the system that the low-privileged user doesn’t have control of.”

The experts explained that the Lenovo Solution Centre adds a task at “\Lenovo\Lenovo Solution Center Launcher”, which runs with “highest privileges”.

The task created by the LSC runs the LSC.Services.UpdateStatusService.exe binary 10 minutes after a login event.

The binary executed by the scheduled task overwrites the DACL of the Lenovo product’s logs folder, giving everyone in the Authenticated Users usergroup full read/write access to them. Everyone is a member of Authenticated Users, this means that everyone could access those files.

In order to exploit the flaw, attackers have to create a hardlink file in the C:\ProgramData\Lenovo\LSC\log\ directory that points to the file he wants to overwrite the privileges of.

It is quite easy for an attacker with access to the machine to run arbitrary code with administrator-level privileges.

“Then you log out, log in, and 10 minutes later, the hosts file DACL will be overwritten.” wrote the researchers.

The only way to fix the issue is to uinstall Lenovo Solution Centre, customers could install Lenovo Vantage or Lenovo Diagnostics to have the same functionalities .

Pen Test Partners criticized the way Lenovo managed the report of the flaw because Lenovo seems to have moved the EOL date back to April 2018.

“But just after their disclosure went out, we noticed they had changed the end of life date to make it look like it went end of life even before the last version was released.”

Pierluigi Paganini

(SecurityAffairs – Lenovo Solution Centre, hacking)