Lenovo ThinkPad Zero-Day Escapes Windows Security

About a week ago, the security expert Dmytro Oleksiuk has found a new low-level zero-day exploit which overrides the protection for the firmware code in Lenovo ThinkPads and other laptops, escaping hardware and Windows security features.

Dmytro Oleksiuk, also known as cr4sh, released the code for his ThnkPwn proof of concept on Github and showed how it can be used for exploiting a flaw in the unified extensible firmware interface (UEFI) driver for privilege escalation.

This is what allows the hackers to remove the write protection for the system flash memory, letting them to run an arbitrary code with full access to the entire system of the victim. Due to the fact that Lenovo had not received an advance notification of the vulnerability, it made the exploit a zero-day with no mitigation available.

According Dmytro Oleksiuk, the vulnerability in Lenovo’s firmware, old and new versions, allows arbitrary system management mode (SMM) code execution on several of the Chinese PC giant’s computers.

“Exploitation of this vulnerability may lead to the flash write protection bypass, disabling of UEFI Secure Boot, Virtual Secure Mode and Credential Guard bypass in Windows 10 Enterprise and other evil things,” Oleksiuk said.

The security researcher found a “suspicious” SMM callback function in the Lenovo firmware when analysing the code and speculated it might be an intentional backdoor. The code does nothing apart from calling an arbitrary function, and Oleksiuk said there was no reason to have such a thing in the firmware.

Dmytro Oleksiuk did not alert Lenovo to the vulnerability prior to making it public because it is highly unlikely for it to be exploited in the wild.

There are no patches for the vulnerability. According to Oleksiuk, the exploit, in theory, would work on other machines than those made by Lenovo.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.