lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <67221472-1875-4ef4-9ea6-0aafcea9880a@vulnerability-lab.com>
Date: Thu, 12 Jul 2018 11:11:20 +0200
From: Vulnerability Lab <research@...nerability-lab.com>
To: fulldisclosure@...lists.org
Subject: [FD] Lenovo SU v5.07 - Buffer Overflow & Arbitrary Code Execution
 Vulnerability

Document Title:
===============
Lenovo SU v5.07 - Buffer Overflow & Code Execution Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2131

Lenovo Security ID: LEN-19625

https://nvd.nist.gov/vuln/detail/CVE-2018-9063
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9063

Acknowledgements: https://support.lenovo.com/us/fr/solutions/len-19625

News & Press References:
https://www.securityweek.com/lenovo-patches-secure-boot-vulnerability-servers
https://securityaffairs.co/wordpress/72335/security/lenovo-security-updates.html

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-9063

CVE-ID:
=======
CVE-2018-9063


Release Date:
=============
2018-07-12


Vulnerability Laboratory ID (VL-ID):
====================================
2131


Common Vulnerability Scoring System:
====================================
7.8


Vulnerability Class:
====================
Buffer Overflow


Current Estimated Price:
========================
4.000€ - 5.000€


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a local
buffer overflow vulnerability in the official Lenovo SU v5.7.x & v5.6.x.
software.


Vulnerability Disclosure Timeline:
==================================
2018-05-03: Release Date (Lenovo)
2018-07-12: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Lenovo
Product: SU (MapDrv - mapdrv.exe) 5.7.19, 5.6.34, 5.6.0.28 & 5.6.0.27


Exploitation Technique:
=======================
Local


Severity Level:
===============
High


Authentication Type:
====================
Restricted authentication (user/moderator) - User privileges


User Interaction:
=================
No User Interaction


Disclosure Type:
================
Responsible Disclosure Program


Technical Details & Description:
================================
A local buffer overflow and arbitrary code exeuction has been discovered
in the official Lenovo SU v5.7.x & v5.6.x. software.
The vulnerability allows to overwrite the active registers of the
process to compromise the affected software by gaining
higher system access privileges.

MapDrv (C:Program FilesLenovoSystem Update mapdrv.exe) contains a local
vulnerability where an attacker entering very large user ID
or password can overrun the program’s buffer, causing undefined
behaviors, such as execution of arbitrary code. No additional privilege is
granted to the attacker beyond what is already possessed to run MapDrv.
The flaw could be exploited by local attackers for different kind
of attacks, include the execution of arbitrary code on the target machine.

Exploitation of the local buffer overflow vulnerability requires no user
interaction and system user process privileges of the driver.
Successful exploitation of the buffer overflow vulnerability results in
a compromise of the local system process or affected computer system.

Vulnerable Driver:
[+] MapDrv

Affected Process:
[+] mapdrv.exe


Proof of Concept (PoC):
=======================
The vulnerability can be exploited by local attackers with system
process privileges and without user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below.


--- Debug Error Exception Session Log (Exception) ---
(d8c.1988): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=029ab7a0 ebx=0031fe05 ecx=00000041 edx=fd974860 esi=029a9d70
edi=0031fd04
eip=00a256b3 esp=0031e54c ebp=0031fc70 iopl=0         nv up ei pl nz na
pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00210206
*** ERROR: Module load completed but symbols could not be loaded for
image00a20000
image00a20000+0x56b3:
00a256b3 66890c02        mov     word ptr [edx+eax],cx
ds:0023:00320000=0000

--- Debug Session Log [Exception Analysis] ---
FAULTING_IP:
image00a20000+56b3
00a256b3 66890c02        mov     word ptr [edx+eax],cx

EXCEPTION_RECORD:  ffffffff -- (.exr ffffffffffffffff)
ExceptionAddress: 00a256b3 (image00a20000+0x000056b3)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 00320000
Attempt to write to address 00320000

FAULTING_THREAD:  00001988
PROCESS_NAME:  image00a20000
FAULTING_MODULE: 77ab0000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP:  594b6578
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx
referenced memory at 0x%08lx. The memory could not be %s.
WRITE_ADDRESS:  00320000
BUGCHECK_STR:  ACCESS_VIOLATION

IP_ON_HEAP:  00410041
The fault address in not in any loaded module, please check your build's
rebase
log at <releasedir>binbuild_logstimebuildntrebase.log for module which may
contain the address if it were loaded.

DEFAULT_BUCKET_ID:  WRONG_SYMBOLS
FRAME ONE INVALID: 1800200000000a
LAST_CONTROL_TRANSFER:  from 00410041 to 00a256b3

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be
wrong.
0031fc70 00410041 00410041 00410041 00410041 image00a20000+0x56b3
0031fc74 00410041 00410041 00410041 00410041 0x410041
0031fc78 00410041 00410041 00410041 00410041 0x410041
0031fc7c 00410041 00410041 00410041 00410041 0x410041
0031fc80 00410041 00410041 00410041 00410041 0x410041
0031fc84 00410041 00410041 00410041 00410041 0x410041
0031fc88 00410041 00410041 00410041 00410041 0x410041
0031fc8c 00410041 00410041 00410041 00410041 0x410041
0031fc90 00410041 00410041 00410041 00410041 0x410041
0031fc94 00410041 00410041 00410041 00410041 0x410041
0031fc98 00410041 00410041 00410041 00410041 0x410041
0031fc9c 00410041 00410041 00410041 00410041 0x410041
0031fca0 00410041 00410041 00410041 00410041 0x410041
0031fca4 00410041 00410041 00410041 00410041 0x410041
0031fca8 00410041 00410041 00410041 00410041 0x410041
0031fcac 00410041 00410041 00410041 00410041 0x410041
0031fcb0 00410041 00410041 00410041 00410041 0x410041
0031fcb4 00410041 00410041 00410041 00410041 0x410041
0031fcb8 00410041 00410041 00410041 00410041 0x410041
0031fcbc 00410041 00410041 00410041 00410041 0x410041
0031fcc0 00410041 00410041 00410041 00410041 0x410041
0031fcc4 00410041 00410041 00410041 00410041 0x410041
0031fcc8 00410041 00410041 00410041 00410041 0x410041
0031fccc 00410041 00410041 00410041 00410041 0x410041
0031fcd0 00410041 00410041 00410041 00410041 0x410041
0031fcd4 00410041 00410041 00410041 00410041 0x410041
0031fcd8 00410041 00410041 00410041 00410041 0x410041
0031fcdc 00410041 00410041 00410041 00410041 0x410041
0031fce0 00410041 00410041 00410041 00410041 0x410041
0031fce4 00410041 00410041 00410041 00410041 0x410041
0031fce8 00410041 00410041 00410041 00410041 0x410041
0031fcec 00410041 00410041 00410041 00410041 0x410041
0031fcf0 00410041 00410041 00410041 00410041 0x410041
0031fcf4 00410041 00410041 00410041 00410041 0x410041
0031fcf8 00410041 00410041 00410041 00410041 0x410041
0031fcfc 00410041 00410041 00410041 00410041 0x410041
0031fd00 00410041 00410041 00410041 00410041 0x410041
0031fd04 00410041 00410041 00410041 00410041 0x410041
0031fd08 00410041 00410041 00410041 00410041 0x410041
0031fd0c 00410041 00410041 00410041 00410041 0x410041
0031fd10 00410041 00410041 00410041 00410041 0x410041
0031fd14 00410041 00410041 00410041 00410041 0x410041
0031fd18 00410041 00410041 00410041 00410041 0x410041
0031fd1c 00410041 00410041 00410041 00410041 0x410041
0031fd20 00410041 00410041 00410041 00410041 0x410041
0031fd24 00410041 00410041 00410041 00410041 0x410041
0031fd28 00410041 00410041 00410041 00410041 0x410041
0031fd2c 00410041 00410041 00410041 00410041 0x410041
0031fd30 00410041 00410041 00410041 00410041 0x410041
0031fd34 00410041 00410041 00410041 00410041 0x410041
0031fd38 00410041 00410041 00410041 00410041 0x410041
0031fd3c 00410041 00410041 00410041 00410041 0x410041
0031fd40 00410041 00410041 00410041 00410041 0x410041
0031fd44 00410041 00410041 00410041 00410041 0x410041
0031fd48 00410041 00410041 00410041 00410041 0x410041
0031fd4c 00410041 00410041 00410041 00410041 0x410041
0031fd50 00410041 00410041 00410041 00410041 0x410041
0031fd54 00410041 00410041 00410041 00410041 0x410041
0031fd58 00410041 00410041 00410041 00410041 0x410041
0031fd5c 00410041 00410041 00410041 00410041 0x410041
0031fd60 00410041 00410041 00410041 00410041 0x410041
0031fd64 00410041 00410041 00410041 00410041 0x410041
0031fd68 00410041 00410041 00410041 00410041 0x410041
0031fd6c 00410041 00410041 00410041 00410041 0x410041
0031fd70 00410041 00410041 00410041 00410041 0x410041
0031fd74 00410041 00410041 00410041 00410041 0x410041
0031fd78 00410041 00410041 00410041 00410041 0x410041
0031fd7c 00410041 00410041 00410041 00410041 0x410041
0031fd80 00410041 00410041 00410041 00410041 0x410041
0031fd84 00410041 00410041 00410041 00410041 0x410041
0031fd88 00410041 00410041 00410041 00410041 0x410041
0031fd8c 00410041 00410041 00410041 00410041 0x410041
0031fd90 00410041 00410041 00410041 00410041 0x410041
0031fd94 00410041 00410041 00410041 00410041 0x410041
0031fd98 00410041 00410041 00410041 00410041 0x410041

PRIMARY_PROBLEM_CLASS:  STACK_CORRUPTION

FOLLOWUP_IP:
image00a20000+56b3
00a256b3 66890c02        mov     word ptr [edx+eax],cx

SYMBOL_STACK_INDEX:  0
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME: image00a20000
IMAGE_NAME:  image00a20000
SYMBOL_NAME:  image00a20000+56b3
STACK_COMMAND:  ~0s ; kb
BUCKET_ID:  WRONG_SYMBOLS

Followup: MachineOwner
---------
0:000> lmvm image00a20000
start    end        module name
00a20000 00bd2000   image00a20000   (no symbols)
    Loaded symbol image file: C:Program FilesLenovoSystem Updatemapdrv.exe
    Image path: image00a20000
    Image name: image00a20000
    Timestamp:        Wed Jun 21 23:36:40 2017 (594B6578)
    CheckSum:         001BA113
    ImageSize:        001B2000
    File version:     1.0.0.1
    Product version:  1.0.0.1
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    ProductName:      Map Network Drive
    InternalName:     mapdrv
    OriginalFilename: mapdrv.exe
    ProductVersion:   1, 0, 0, 1
    FileVersion:      1, 0, 0, 1
    FileDescription:  Map Network Drive Application
    LegalCopyright:   Copyright Lenovo 2005, 2006, all rights reserved.
Copyright IBM Corporation 1996-2005, all rights reserved.


Solution - Fix & Patch:
=======================
Update Lenovo System Update to version 5.07.0072 or later. You can
determine the currently installed version by
opening Lenovo System Update, clicking on the green question mark in the
top right corner and then selecting “About.”

Lenovo System Update can be updated by choosing either of the following
methods:

Lenovo System Update automatically checks for a later version whenever
the application is run.
Click OK when prompted that a new version is available.
To manually update, download the latest version from the following URL:
https://support.lenovo.com/en/documents/ht080136


Security Risk:
==============
The security risk of the buffer overflow and arbitrary code execution
vulnerability is estimated as high.


Credits & Authors:
==================
S.AbenMassaoud (Vulnerability Laboratory Core Research Team) -
https://www.vulnerability-lab.com/show.php?user=S.AbenMassaoud


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com		www.vuln-lab.com			
www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com	paste.vulnerability-db.com 		
infosec.vulnerability-db.com
Social:	    twitter.com/vuln_lab		facebook.com/VulnerabilityLab 		
youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.

				    Copyright © 2018 | Vulnerability Laboratory - [Evolution
Security GmbH]™

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ