CVE-2022-0354: Lenovo Vantage | Local Privilege Escalation

Introduction

If you have a look into the great resource Windows Internals (Windows Internals Part 1 7th Edition) you will see, that Windows uses the mechanism of Mandatory Integrity Control (MIC) based on Integrity Levels to protect processes an objects among each other against unauthorized access. In the following table from the Windows Internals you can see a list of the used Integrity Levels under Windows 10.

Therefore, when an unprivileged user (medium integrity) logs on to Windows, a kernel object called an access token is created. This token contains your identity and the user's current privileges. From a red team perspective, this means that even if I am able to compromise an unprivileged user account (medium integrity), I am still not allowed to access processes and objects that require high integrity to access the process space. More specifically, in the case of processes, it is not possible to inject or attach to the address space of a process that manages high integrity threats from a process that manages medium integrity threats. Otherwise, if it were possible, we would have a big problem from a security point of view.

Local Privilege Escalation: Insecure GUI

But also if you are not allowed as a medium integrity user to directly access the address memory from a high integrity process for example by process injection, there are still scenarios which gives you a possibility to abuse the high integrity process to escalate your local privileges. For example, in my case by finding the vulnerability CVE-2022-0354 or LEN-76673 in context of the Lenovo Commercial Vantage Tool and how the tool does execute Intel Management Engine software update packages (and other packages). At New Year’s Eve 2021 I have logged in to my Lenovo (as usual as unprivileged user (medium integrity)) and started the Lenovo Commercial Vantage tool in the same context (medium integrity). I got the suggestion for the Intel ME Software update Intel Management Engine Firmware 11.8.90.3987 and started the installation. Afterwards, the Intel ME update was initialized immediately, but compared to other updates that I have executed via the Lenovo Commercial Vantag tool, it seemed strange to me that a Windows command shell window opened during the update. It was not possible to execute directly a command via command line, but I was curious and examined via process explorer with which integrity level the opened update window is executed. As suspected and hoped (to get my first CVE 😅), the corresponding process cmd.exe was executed in system integrity. Despite the fact, that no direct command can be executed in the command prompt window, there is still a way (insecure GUI) to use the privileged process cmd.exe (system integrity) to escalate from an unprivileged user (medium integrity) to system privileges. We just simply use the command prompt window context menu from the privileged cmd.exe process to escalate from medium integrity level to system integrity. In case of CVE-2022-0354, have a look at the video below.

After consultation with Lenovo, the flaw is in the legacy packaging process for system udpates. To resolve the problem, the Lenovo PSRIT fixed the packaging process for packages which are released after 2022-02-25. At this moment I am not really sure, if Lenovo did fix also the affected legacy packages or only fixed it for packages which are released after 2022-02-25. The last test where I was able to escalate to system privileges was done at 2022-04-10 with the Intel Thunderbold Driver-10 [64] update package (video below). To be fair, the Intel Thunderbold Driver-10 [64] package was identified just a few days ago, with beginning of April 2022. Until yet, the following packages are known and affected, and let escalate your unprivileged user (Medium Integrity) to system privileges (System Integrity).

• Intel ME Software update Intel Management Engine Firmware 11.8.90.3987 
• Intel Thunderbolt Driver – 10 [64] – 17.4.80.550
• Flash BIOS Update – Intel B150 

Also the „Bundesamt für Sicherheit in der Informationstechnik“ has published a technical safety note with the second highest risk level (risk level 4).

Finally, I would like to thank Lenovo and the responsible employee Blake for the good cooperation. More information about the vulnerability on the Lenovo Website.