Pierluigi Paganini July 04, 2016

The researcher Dmytro Oleksiuk published details of ThinkPwn flaw, a UEFI zero-day that could be exploited by hackers to disable security features.

Once again the IT giant Lenovo is in the headlines, some products of the company and some others from other PC vendors, are affected by a UEFI vulnerability, dubbed ThinkPwn, that can be exploited by an attacker to disable firmware write-protection.

The discovery was made by Dmytro Oleksiuk that published on Github a Lenovo ThinkPad System Management Mode arbitrary code execution 0day exploit.

According to Oleksiuk, the ThinkPwn vulnerability resides in the System Management Mode (SMM) code of Lenovo’s UEFI, he explained that an attacker can exploit the zero-day flaw to disable flash write protection and infect the firmware. The attacker can also disable the Secure Boot feature and bypass Windows 10 Enterprise security features such as Device Guard or Credential Guard.

“This code exploits 0day privileges escalation vulnerability (or backdoor?) in SystemSmmRuntimeRt UEFI driver (GUID is 7C79AC8C-5E6C-4E3D-BA6F-C260EE7C172E) of Lenovo firmware. Vulnerability is present in all of the ThinkPad series laptops, the oldest one that I have checked is X220 and the neweset one is T450s (with latest firmware versions available at this moment). Running of arbitrary System Management Mode code allows attacker to disable flash write protection and infect platform firmware, disable Secure Boot, bypass Virtual Secure Mode (Credential Guard, etc.) on Windows 10 Enterprise and do others evil things.” states Oleksiuk.

Oleksiuk believes that the flawed code is inherited from Intel, in particular, the SystemSmmRuntimeRt was copied from Intel reference code.

“Vulnerable code of SystemSmmRuntimeRt UEFI driver was copy-pasted by Lenovo from Intel reference code for 8-series chipsets. This exact code is not available in public but open source firmware of some Intel boards is also sharing it. For example, here you can see SmmRuntimeManagementCallback() function from Intel Quark BSP — it’s exactly the same vulnerable code.” explains the researcher.

Lenovo published a security advisory informing customers that its experts are investigating the issue. The company has highlighted that the ThinkPwn vulnerability results from the use of the code of at least one of its three independent BIOS vendors. These BIOS vendors use the code provided by chip vendors such as AMD and Intel and develop their customized versions.

“The package of code with the SMM vulnerability was developed on top of a common code base provided to the IBV by Intel. Importantly, because Lenovo did not develop the vulnerable SMM code and is still in the process of determining the identity of the original author, it does not know its originally intended purpose,” reads the advisory published by Lenovo. “But, as part of the ongoing investigation, Lenovo is engaging all of its IBVs as well as Intel to identify or rule out any additional instances of the vulnerability’s presence in the BIOS provided to Lenovo by other IBVs, as well as the original purpose of the vulnerable code.” 

Of course, rumors circulating on the Internet speculate about the possibility that the hinkPwn vulnerability may be an intentional backdoor.

El Reg reported a tweet shared by an Oleksiuk’s follower that said  the ThinkPwn vulnerability also affects a 2010-era HP Pavillion machine.

@mausraster@al3xtjames In theory — yes, I’m planning to write some proper tool for this task soon

— Dmytro Oleksiuk (@d_olex) 4 luglio 2016

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – ThinkPwn , zero-day)