SECOBJADV-2008-01: Lenovo SystemUpdate SSL Certificate Issuer Spoofing Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: SECOBJADV-2008-01: Lenovo SystemUpdate SSL Certificate Issuer Spoofing Vulnerability
From: "Security Objectives, Inc." <advisories@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Sun, 25 May 2008 11:45:06 -0400 (EDT)
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

======================================================================
=         Security Objectives Advisory (SECOBJADV-2008-01)           =
======================================================================

Lenovo SystemUpdate SSL Certificate Issuer Spoofing Vulnerability

http://www.security-objectives.com/advisories/SECOBJADV-2008-01/

AFFECTED: Lenovo System Update 3 (Version 3.13.0005, Build date 2008-1-3)

PLATFORM: Intel / Windows

CLASSIFICATION: Trust of OpenSSL Certificate Without Validation (CWE-599)

RESEARCHER: Derek Callaway

IMPACT: Client-side code execution

SEVERITY: High

DIFFICULTY: Moderate


BACKGROUND

System Update(tm) helps you reduce the time, effort, and expense required to

support and maintain the latest drivers, BIOS, and other applications forThink or Lenovo systems. It enables you to get the latest updates from theLenovo support site, or to automatically schedule your system to be updated.


http://www-307.ibm.com/pc/support/site.wss/TVSU-UPDATE.html

SUMMARY

Lenovo System Update allows arbitrary update executables to be downloaded and

installed from a rogue server. The Client DLL does not perform certificatechain verification when initiating an SSL connection with the server. Instead,it performs a string comparison on the Issuer field of the X.509 certificatein order to determine if it appears to belong to IBM. After successful SSLnegotiation, the client proceeds to download XML files that contain pathnamesto EXE files, their sizes, and corresponding SHA-1 hashes (although the XMLelement defining the SHA value is named "CRC.") If an XML file shows a newersoftware version than what it is already installed, it downloads the EXE file,calculates its SHA-1 hash and compares it against the one defined in the XML

file; if they match, it runs the executable with administrator privileges.

ANALYSIS

In order to exploit this vulnerability an attacker would create a self-signed

SSL certificate with X.509 header values (issuer, common name, organization,etc.) of the real public SSL certificate used by the SystemUpdate server atdownload.boulder.ibm.com. The attacker would also modify the XML config file

for the target package with a new version number, file size, and SHA-1 hash
that correspond to a malicious EXE file. In theory, an attacker could inject
a completely new package into QuestResponse.xml although this was not tested
by Security Objectives.

When SystemUpdate attempts to make a connection to the server, the attackerwould accept the connection through DNS spoofing, ARP redirection, etc. Usersof wireless networks are at high risk because access point impersonation willsimplify the attack. Once SystemUpdate makes the connection to TCP port 443,the rogue server negotitates an SSL session with the attacker-created SSLcertificate. The rogue HTTPS server will then send the malicious XML and EXEfiles when SystemUpdate requests the target package. All other requests willbe conducted as usual by proxying requests to the real SystemUpdate server or

maintaining a mirrored version of it.

WORKAROUND

One potential work-around is to disable scheduled updates and not executeLenovo SystemUpdate although this may expose the user to other vulnerabilities

since software patches will not be installed.

VENDOR RESPONSE

ThinkVantage SystemUpdate MR4 is in golden release stage at the time of writing.

http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=MIGR-66956

DISCLOSURE TIMELINE

23-Jan-2008 Discovery of Vulnerability
30-Jan-2008 Developed Proof-of-Concept
02-Feb-2008 Reported to Vendor
19-Feb-2008 Discussed Exploitation
14-Apr-2008 Wrote Patch
18-Apr-2008 Tested Patch
20-May-2008 Released Patch
25-May-2008 Published Advisory

ABOUT SECURITY OBJECTIVES

Security Objectives is a security centric consultancy and software developmentcorporation which operates in the area of application assurance software.Security Objectives employs methods that are centered on softwarecomprehension, therefore a more in-depth contextual understanding of theapplication is developed.


http://security-objectives.com/

LEGAL

Permission is granted for electronic distribution of this advisory.
It may not be edited without the written consent of Security Objectives.

The information contained in this advisory is believed to be accurate based oncurrently available information and is provided "as is" without warranty ofany kind, either expressed or implied, including, but not limited to, theimplied warranties of merchantability and fitness for a particular purpose.The entire risk as to the quality and performance of the information is withyou.

Prev by Date: Mini-CWB <= 2.1.1 Remote XSS Vulnerability
Next by Date: Repair Online v1.2 (sentout) Create Admin Vulnerability
Previous by thread: Mini-CWB <= 2.1.1 Remote XSS Vulnerability
Next by thread: Repair Online v1.2 (sentout) Create Admin Vulnerability
Index(es):
- Date
- Thread