Lenovo Solution Center contains vulnerabilities that 'could allow' remote code execution, admits company

Dell and Toshiba support software also open to exploits

Lenovo has admitted that its system support software, known as Lenovo Solution Center, is exploitable by remote attackers, and can even be used to execute local code.

A hacker - who goes by the names RoL (Ring of Lightning) and slipstream - released proof-of-concept examples of the Lenovo exploit last week, along with similar ways to attack support software by Dell and Toshiba.

Boasting "three OEM fails at once", the exploit's site cites "a UAC bypass in Dell System Detect", a "SYSTEM registry read in Toshiba Service Station" and a "local privesc in Lenovo Solution Center".

All amount to similar things - remote attackers can take control of the update software by hijacking the registry when the software is run, if the correct exploits have already been injected. In the case of Toshiba Service Station and Dell System Detect, control can be taken by the Toshiba application creating a service called TMachInfo that runs as a Windows System function and takes commands from port 1233 on the host machine. One command - Reg.Read - does as it says and reads the registry.

Dell's flaw can bypass Windows User Account Control.

But it's Lenovo's flaw that seems the most immediately worrying, so much so that the company - unlike Dell and Toshiba - has responded with a direct Security Advisory on its support website.

"Vulnerabilities were discovered in the Lenovo Solution Center (LSC) software which could allow a remote attacker or local user to execute arbitrary code with SYSTEM privileges," says the support page.

"We urgently completed an assessment of this issue and prepared and tested fixes that eliminate these vulnerabilities."

Lenovo has released patches that address the issue, which mostly revolves around the LSCTaskService function in the Lenovo Solution Center software that, like Toshiba's exploit, accesses internal systems by running with Windows System privileges.

In this case, it opens an HTTP link on port 55555, and can then run a command named RunInstaller which can execute any files in the Windows %APPDATA% "Local Store" folder. While anybody can write files there, they are executed outside of normal user privileges as the software runs them as System functions.

Lenovo hastens to add that versions of Lenovo Solution Center earlier than 2.8.006 or 3.2.0002 may be impacted by these faults.

Earlier this year, Lenovo admitted it had been filling its OEM Windows PCs with so-called 'bloatware', while months later the company was caught pre-installing what amounted to malware enablers in PCs, in order to offer it access routes to ad bloatware down the line.

It's possible Lenovo's swift response to this latest vulnerability is an attempt to show that the issue isn't another such occurrence, as the firm recovers from a tough year that saw profits halve and 3,200 jobs slashed by August 2015.