what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

SECOBJADV-2008-01.txt

SECOBJADV-2008-01.txt
Posted May 27, 2008
Authored by Derek Callaway | Site security-objectives.com

Security Objectives Advisory - Lenovo System Update allows arbitrary update executables to be downloaded and installed from a rogue server. The Client DLL does not perform certificate chain verification when initiating an SSL connection with the server. Version 3.13.0005 Build date 2008-1-3 is affected. Other versions may also be affected.

tags | advisory, arbitrary
SHA-256 | 0df79f7829c7b5806e5a76c63b92bd7d03b09979e8aebc1d558d8756681a2807

SECOBJADV-2008-01.txt

Change Mirror Download
======================================================================
= Security Objectives Advisory (SECOBJADV-2008-01) =
======================================================================

Lenovo SystemUpdate SSL Certificate Issuer Spoofing Vulnerability

http://www.security-objectives.com/advisories/SECOBJADV-2008-01/

AFFECTED: Lenovo System Update 3 (Version 3.13.0005, Build date 2008-1-3)

PLATFORM: Intel / Windows

CLASSIFICATION: Trust of OpenSSL Certificate Without Validation (CWE-599)

RESEARCHER: Derek Callaway

IMPACT: Client-side code execution

SEVERITY: High

DIFFICULTY: Moderate


BACKGROUND

System Update(tm) helps you reduce the time, effort, and expense required to
support and maintain the latest drivers, BIOS, and other applications for
Think or Lenovo systems. It enables you to get the latest updates from the
Lenovo support site, or to automatically schedule your system to be updated.

http://www-307.ibm.com/pc/support/site.wss/TVSU-UPDATE.html

SUMMARY

Lenovo System Update allows arbitrary update executables to be downloaded and
installed from a rogue server. The Client DLL does not perform certificate
chain verification when initiating an SSL connection with the server. Instead,
it performs a string comparison on the Issuer field of the X.509 certificate
in order to determine if it appears to belong to IBM. After successful SSL
negotiation, the client proceeds to download XML files that contain pathnames
to EXE files, their sizes, and corresponding SHA-1 hashes (although the XML
element defining the SHA value is named "CRC.") If an XML file shows a newer
software version than what it is already installed, it downloads the EXE file,
calculates its SHA-1 hash and compares it against the one defined in the XML
file; if they match, it runs the executable with administrator privileges.

ANALYSIS

In order to exploit this vulnerability an attacker would create a self-signed
SSL certificate with X.509 header values (issuer, common name, organization,
etc.) of the real public SSL certificate used by the SystemUpdate server at
download.boulder.ibm.com. The attacker would also modify the XML config file
for the target package with a new version number, file size, and SHA-1 hash
that correspond to a malicious EXE file. In theory, an attacker could inject
a completely new package into QuestResponse.xml although this was not tested
by Security Objectives.

When SystemUpdate attempts to make a connection to the server, the attacker
would accept the connection through DNS spoofing, ARP redirection, etc. Users
of wireless networks are at high risk because access point impersonation will
simplify the attack. Once SystemUpdate makes the connection to TCP port 443,
the rogue server negotitates an SSL session with the attacker-created SSL
certificate. The rogue HTTPS server will then send the malicious XML and EXE
files when SystemUpdate requests the target package. All other requests will
be conducted as usual by proxying requests to the real SystemUpdate server or
maintaining a mirrored version of it.

WORKAROUND

One potential work-around is to disable scheduled updates and not execute
Lenovo SystemUpdate although this may expose the user to other vulnerabilities
since software patches will not be installed.

VENDOR RESPONSE

ThinkVantage SystemUpdate MR4 is in golden release stage at the time of writing.

http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=MIGR-66956

DISCLOSURE TIMELINE

23-Jan-2008 Discovery of Vulnerability
30-Jan-2008 Developed Proof-of-Concept
02-Feb-2008 Reported to Vendor
19-Feb-2008 Discussed Exploitation
14-Apr-2008 Wrote Patch
18-Apr-2008 Tested Patch
20-May-2008 Released Patch
25-May-2008 Published Advisory

ABOUT SECURITY OBJECTIVES

Security Objectives is a security centric consultancy and software development
corporation which operates in the area of application assurance software.
Security Objectives employs methods that are centered on software
comprehension, therefore a more in-depth contextual understanding of the
application is developed.

http://security-objectives.com/

LEGAL

Permission is granted for electronic distribution of this advisory.
It may not be edited without the written consent of Security Objectives.

The information contained in this advisory is believed to be accurate based on
currently available information and is provided "as is" without warranty of
any kind, either expressed or implied, including, but not limited to, the
implied warranties of merchantability and fitness for a particular purpose.
The entire risk as to the quality and performance of the information is with
you.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close