Flaws in Lenovo laptops allow escalating to admin privileges

The ImControllerService service of Lenovo laptops is affected by a privilege elevation bug that can allow to execute commands with admin privileges.

Lenovo laptops, including ThinkPad and Yoga families, are affected by a privilege elevation issues that resides in the ImControllerService service allowing attackers to execute commands with admin privileges.

The vulnerabilities, tracked as CVE-2021-3922 and CVE-2021-3969, are a race condition vulnerability and a Time of Check Time of Use (TOCTOU) vulnerability respectively.

The flaws affect the ImControllerService service (“System Interface Foundation Service”) of all Lenovo System Interface Foundation versions below 1.1.20.3.

The Lenovo System Interface Foundation Service provides interfaces for multiple features, including system power management, system optimization, driver and application updates, for this reason it is not recommended to disable it.

The vulnerability was reported to Lenovo by researchers at NCC Group on October 29, 2021, and the vendor addressed it with the release of security updates on November 17, 2021. This week the company publicly disclosed the vulnerability.

“The following vulnerabilities were reported in the IMController component of Lenovo System Interface Foundation used by Lenovo Vantage.” reads the advisory published by the company.

“CVE-2021-3922: A race condition vulnerability was reported in IMController, a software component of Lenovo System Interface Foundation, that could allow a local attacker to connect and interact with the IMController child process’ named pipe.

CVE-2021-3969: A Time of Check Time of Use (TOCTOU) vulnerability was reported in IMController, a software component of Lenovo System Interface Foundation, that could allow a local attacker to elevate privileges.”

According to NCC Group, the ImController service comes installed on certain Lenovo devices, it runs as the SYSTEM user and periodically executes child processes that perform system configuration and maintenance tasks.

An attacker can exploit the vulnerabilities to elevate its privileges to SYSTEM and take over the vulnerable device.

The vulnerability resides in the way the ImControllerService handles the execution of highly privileged child processes which allows an unprivileged attacker with local access to the system to elevate their privileges.

The flawed vulnerable component periodically starts child processes to perform tasks and each of them opens a named pipe server to which any user on the system can connect.

“The parent process establishes a connection to the child’s server as soon as possible in order to send XML serialised commands over the named pipe. The child does not validate the source of the connection and parses the XML serialized commands. One of the commands that the parent process can send instructs the child to load a ‘plugin’ from an arbitrary location on the filesystem. The child process validates the digital signature of the plugin DLL file before loading the file into its address space and yielding execution to it.” reads the post published by NCC Group. “Successful exploitation of two vulnerabilities required to get the child to load a payload of the attacker’s choosing.”

The researchers noticed that the child process does not validate the source of the connection, this means it will begin accepting commands from the attacker using high-performance filesystem synchronization routines after the race condition has been exploited.

NCC Group researchers developed a proof of concept code that never failed to connect to the named pipe before the parent service could do so.

The second issue, the time-of-check to time-of-use (TOCTOU) vulnerability, is exploited to stall the loading process and replace the validated plugin with a malicious DLL file. The DLL is executed with high privileges.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, privilege escalation)

[adrotate banner=”5″]

[adrotate banner=”13″]