Lenovo Rescue and Recovery Buffer Overflow in 'tvtumon.sys' Driver Lets Local Users Gain Elevated Privileges
|
|
SecurityTracker Alert ID: 1021041
|
|
SecurityTracker URL: http://securitytracker.com/id?1021041
|
|
CVE Reference: CVE-2008-4589
(Links to External Site)
|
Updated: Oct 17 2008
|
Original Entry Date: Oct 14 2008
|
Impact: Execution of arbitrary code via local system, Root access via local system
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 4.20
|
Description: A vulnerability was reported in Lenovo Rescue and Recovery. A local user can obtain elevated privileges on the target system.
A local user can trigger a heap overflow in the 'tvtumon.sys' driver to execute arbitrary code on the target system. The code will
run with kernel level privileges.
Chris Clark and Rachel Engel of iSEC Partners reported this vulnerability.
The original
advisory is available at:
https://www.isecpartners.com/advisories/2008-02-lenovornr.txt
|
Impact: A local user can obtain elevated privileges on the target system.
|
Solution: The vendor has issued a fixed version (4.21), available at:
http://www-307.ibm.com/pc/support/site.wss/MIGR-70699.html
The vendor's advisory is available at:
http://www-307.ibm.com/pc/support/site.wss/MIGR-70699.html
|
Vendor URL: www-307.ibm.com/pc/support/site.wss/MIGR-70699.html (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Windows (Vista), Windows (XP)
|
Reported By: Chris Clark <cclark@isecpartners.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 10 Oct 2008 15:24:59 -0700
From: Chris Clark <cclark@isecpartners.com>
Subject: iSEC Partners Security Advisory - 2008-002-lenovornr - Lenovo
|
iSEC Partners Security Advisory - 2008-002-lenovornr
https://www.isecpartners.com
--------------------------------------------
Lenovo Rescue and Recovery Local Kernel Overflow
Vendor: Lenovo
Vendor URL: http://www.lenovo.com
Versions affected: 4.20
Systems Affected: Windows XP, Windows Vista
Severity: Medium (Local Privilege Escalation)
Authors: Chris Clark <cclark[at]isecpartners[dot]com>
Rachel Engel <rachel[at]isecpartners[dot]com>
Vendor notified: Yes
Public release: 10/10/08
Advisory URL: https://www.isecpartners.com/advisories/2008-02-lenovornr.txt
Summary:
--------
Lenovo Rescue and Recovery monitors system changes and enables users to
quickly restore their systems in the event of failure. One component
of the Rescue and Recovery system is a file system filter driver which
monitors new file writes/reads.
There is a heap overflow in the file system filter kernel driver which
could allow an attacker to overwrite kernel memory leading to elevation
of privilege.
Details:
--------
The tvtumon.sys driver serves as a file system filter driver which
monitors for file creation or changes. Recent lookups are cached within
a kernel lookaside list. If an overly long filename is passed through
the filesystem, then a buffer within the lookaside list will overflow,
leading to kernel memory corruption.
A low privileged user can trigger this corruption from user mode and
potentially escalate privileges to act as part of the kernel. In the
(unlikely) event that a web browser plugin allows opening of long
filenames, there is a chance the corruption could be triggered through a
web page.
Fix Information:
----------------
Lenovo has issued a patch and advisory:
http://www-307.ibm.com/pc/support/site.wss/MIGR-70699.html
http://www-307.ibm.com/pc/support/site.wss/MIGR-4Q2QAK.html
Thanks to:
----------
Dave Challener, Derek Callaway, Troy Bollinger
About iSEC Partners:
--------------------
iSEC Partners is a full-service security consulting firm that provides
penetration testing, secure systems development, security education and
software design verification, with offices in San Francisco, Seattle,
and Ewa Beach.
https://www.isecpartners.com
info@isecpartners.com
|
|
