bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/local/40585.txt
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

71 lines
No EOL
2.5 KiB
Text
Raw Permalink Blame History

# Exploit Title: Lenovo ThinkVantage Communications Utility - Unquoted Service Path Privilege Escalation
# Date: 10/19/2016
# Exploit Author: Joey Lane
# Version: 3.0.42.0
# Tested on: Windows 7 Professional
The Lenovo ThinkVantage Communications Utility installs 2 services with unquoted
service paths. This enables a local privilege escalation vulnerability.
To exploit this vulnerability, a local attacker can insert an executable file in the path
of either service. Rebooting the system or restarting either service will run the malicious
executable with elevated privileges.
This was tested on version 3.0.42.0, but other versions may be affected as well.
---------------------------------------------------------------------------
C:\>sc qc LENOVO.CAMMUTE
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: LENOVO.CAMMUTE
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Lenovo Camera Mute
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\>sc qc LENOVO.TPKNRSVC
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: LENOVO.TPKNRSVC
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Lenovo Keyboard Noise Reduction
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
---------------------------------------------------------------------------
EXAMPLE:
Using the BINARY_PATH_NAME listed above as an example, an executable named
"Program.exe" could be placed in "C:\", and it would be executed as the
Local System user next time the service was restarted.
############################################################
From Lenovo PSIRT:
This issue was fixed in version 3.0.44.0, which was released on June 4, 2013. README for Lenovo Communications Utility program:
https://download.lenovo.com/pccbbs/mobiles/grcu19ww.txt
3.0.44.0 01 2013/06/04
<3.0.44.0>
- (Fix) Fixed the vulnerability issue of service program registration.
- (Fix) Fixed the issue that vcamsvc.exe might crash.
- (Fix) Fixed the issue that TpKnrres.exe might crash.
- (Fix) Fixed the issue that TPKNRSVC.exe might crash.
Reference in a new issue View git blame Copy permalink