Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   Lenovo Rescue and Recovery Vendors:   Lenovo
Lenovo Rescue and Recovery Buffer Overflow in 'tvtumon.sys' Driver Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1021041
SecurityTracker URL:
CVE Reference:   CVE-2008-4589   (Links to External Site)
Updated:  Oct 17 2008
Original Entry Date:  Oct 14 2008
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.20
Description:   A vulnerability was reported in Lenovo Rescue and Recovery. A local user can obtain elevated privileges on the target system.

A local user can trigger a heap overflow in the 'tvtumon.sys' driver to execute arbitrary code on the target system. The code will run with kernel level privileges.

Chris Clark and Rachel Engel of iSEC Partners reported this vulnerability.

The original advisory is available at:

Impact:   A local user can obtain elevated privileges on the target system.
Solution:   The vendor has issued a fixed version (4.21), available at:

The vendor's advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Vista), Windows (XP)

Message History:   None.

 Source Message Contents

Subject:  iSEC Partners Security Advisory - 2008-002-lenovornr - Lenovo

iSEC Partners Security Advisory - 2008-002-lenovornr

Lenovo Rescue and Recovery Local Kernel Overflow

Vendor: Lenovo
Vendor URL:
Versions affected: 4.20 
Systems Affected: Windows XP, Windows Vista
Severity: Medium (Local Privilege Escalation)
Authors: Chris Clark <cclark[at]isecpartners[dot]com> 
         Rachel Engel <rachel[at]isecpartners[dot]com>

Vendor notified: Yes
Public release: 10/10/08
Advisory URL:

Lenovo Rescue and Recovery monitors system changes and enables users to
quickly restore their systems in the event of failure. One component
of the Rescue and Recovery system is a file system filter driver which
monitors new file writes/reads.

There is a heap overflow in the file system filter kernel driver which
could allow an attacker to overwrite kernel memory leading to elevation
of privilege.

The tvtumon.sys driver serves as a file system filter driver which
monitors for file creation or changes. Recent lookups are cached within
a kernel lookaside list. If an overly long filename is passed through
the filesystem, then a buffer within the lookaside list will overflow,
leading to kernel memory corruption.

A low privileged user can trigger this corruption from user mode and
potentially escalate privileges to act as part of the kernel. In the
(unlikely) event that a web browser plugin allows opening of long
filenames, there is a chance the corruption could be triggered through a
web page.

Fix Information:
Lenovo has issued a patch and advisory: 

Thanks to:
Dave Challener, Derek Callaway, Troy Bollinger

About iSEC Partners:
iSEC Partners is a full-service security consulting firm that provides
penetration testing, secure systems development, security education and
software design verification, with offices in San Francisco, Seattle,
and Ewa Beach.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC