Bloatware Bugs: Dell, Lenovo, ToshibaResearcher Details Remotely Exploitable Flaws in Preinstalled Software
Software that gets preinstalled on laptops and desktops by original equipment manufacturers is again in the limelight, after an information security researcher found remotely exploitable vulnerabilities in three different preinstalled software applications, or what is often referred to as junkware or bloatware (see Time to Ban the 'Bloatware').
Security researcher Zammis Clark - a.k.a. Slipstream, Raylee, Rye and Rai, warning of "three OEM fails at once," has published proof-of-concept code to exploit multiple vulnerabilities that he discovered in three different preinstalled OEM software applications found on machines sold by Dell, Lenovo and Toshiba. The vulnerable software is Dell System Detect software versions 18.104.22.168 and before, Lenovo Solution Center version 3.1.004 and before, and Toshiba Service Station versions 2.6.14 and before.
As a result of the flaws, hundreds of millions of PCs are at risk of being remotely exploited. In just the third quarter of this year, for example, market researcher IDC reports that Lenovo and Dell respectively shipped 13 million and 10 million PCs globally, while Toshiba shipped 900,000 PCs in the United States alone.
Clark confirms to Information Security Media Group that he discovered the flaws found in the three software applications, and says that the impetus for doing so was "part being bored, part in reaction to the issues I and others found in [Dell Foundation Service] and all the other OEM bloatware issues found over the past year, some of which I helped to research." He confirms that he did not alert the vendors before releasing his proof-of-concept exploit code. "Full disclosure was done partly because I, and many others, hate bloatware and partly to make sure the vendors fix the issues found as fast as possible."
Three OEMs. Three applications preinstalled. Three exploits. https://t.co/P4GMkNCabZï¿½ slipstream/RoL (@TheWack0lian) December 3, 2015
Lenovo has confirmed that it is investigating the reported flaws in its software. Dell and Toshiba did not immediately respond to a request for comment on Clark's related vulnerability alerts.
Dell Patch Introduces New Flaw
The reported flaw in Dell's software apparently resulted from the company's emergency fix for its Dell Foundation Services, which it released in November after security researcher Hanno BÃ¶ck discovered that the software included a preinstalled root certificate and a private key that attackers could abuse to decrypt data or launch man-in-the-middle attacks (see Dell Releases Fix for Root Certificate Fail).
Dell quickly released a patch for the software, followed by Microsoft on Nov. 30 releasing a related, emergency security update for the Windows Certified Trust List in all supported versions of Windows, disabling the ability to use the offending eDellRoot and DSDTestProvider certificates. "Even if the certificates are installed, they cannot be used," Dell says in a related blog post. "CTL updates are automatically pushed to both consumer and commercial Windows PCs. Most systems with Internet access should pick up the update within the next 24 hours."
But Dell's patch "actually introduces a more serious issue," says Mustafa al-Bassam, a security engineer and former member of the hacking collective Lulzsec, via Twitter.
Indeed, Dell's patch included a fix for an API used by its software, to block attackers from retrieving details about the system. But despite the fix, the related Web service is still available, Clark says in a related blog post, noting that the application still responds to Windows Management Instrumentation queries, which will enable "access to information about hardware, installed software, running processes, installed services, accessible hard disks, filesystem metadata - filenames, file size, dates - and more."
Clark says the flaw can be exploited both via a local area network and remotely to bypass User Access Control in Windows, which is designed to block unauthorized changes to a PC - made for example by malware or rogue users - by restricting access to those features to administrators. Because the Dell application runs with administrator privileges, exploiting it then gives an attacker the ability to remotely execute any code, with administrator-level privileges, Clark says.
Lenovo Solution Center
Clark has also released proof-of-concept exploit code that targets three flaws in Lenovo Solution Center - relating incorrect permissions, directory traversal and a cross-site request forgery vulnerability - that could be exploited to take remote control of a PC.
"We are urgently assessing the vulnerability report and will provide an update and applicable fixes as rapidly as possible," Lenovo says in a Dec. 3 security alert. Lenovo says the software in question is designed to "[help] users get the most out of their PC experience" by allowing them to quickly review "system health, network connections and overall system security."
The U.S. Computer Emergency Response Team has issued a related alert about the three flaws, warning that they could be exploited by a malicious HTML document either emailed to victims as an attachment, or via a malicious Web page. US-CERT says it is "currently unaware of a practice solution to this problem," short of uninstalling the software. Likewise, to mitigate the flaw, Lenovo currently recommends that users "uninstall the Lenovo Solution Center application using the add / remove programs function.
VU#294607: Lenovo Solution Center LSCTaskService privilege escalation, directory traversal, and CSRF: The Leno... https://t.co/9EnJFS9SLEï¿½ US-CERT (@USCERT_gov) December 4, 2015
The discovery of vulnerabilities in preinstalled Lenovo software follows the company earlier this year promising to cut down on such software, in the wake of facing heavy criticism for having preinstalled the Superfish Visual Discovery adware on many of its consumer laptops beginning in September 2014 (see Lenovo Promises: No More Bloatware).
Toshiba Service Station
Clark's final vulnerability report centers on the Toshiba Service Station application, which the company says will "automatically search for Toshiba software updates or other alerts from Toshiba that are specific to your computer system and its programs" and transmit related system information to Toshiba. The OEM notes that "this feature is enabled by default."
In a Dec. 5 security advisory, however, Clark warns that Toshiba Service Station versions 2.6.14 and below can be exploited to read parts of the registry as system by local users of lower privilege" as well as to "bypass any read-deny permissions on the registry for lower-privileged users." Clark says the flaw stems from an incorrectly secured, XML-based API, and could be used to make changes directly to the system registry, thus facilitating remote exploitation of the affected system.
To mitigate this flaw - as with the Dell and Lenovo vulnerabilities - Clark recommends removing the Toshiba software from all affected devices.