iSEC Partners Security Advisory - 2008-002-lenovornr - Lenovo Rescue and Recovery 4.20

To: "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: iSEC Partners Security Advisory - 2008-002-lenovornr - Lenovo Rescue and Recovery 4.20
From: Chris Clark <cclark@xxxxxxxxxxxxxxxx>
Date: Fri, 10 Oct 2008 15:24:59 -0700
Accept-language: en-US
Acceptlanguage: en-US
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Thread-index: AckrJwfp5GxUKtjQRo26j2W4TerSIA==
Thread-topic: iSEC Partners Security Advisory - 2008-002-lenovornr - Lenovo Rescue and Recovery 4.20

iSEC Partners Security Advisory - 2008-002-lenovornr
https://www.isecpartners.com
--------------------------------------------

Lenovo Rescue and Recovery Local Kernel Overflow

Vendor: Lenovo
Vendor URL: http://www.lenovo.com
Versions affected: 4.20 
Systems Affected: Windows XP, Windows Vista
Severity: Medium (Local Privilege Escalation)
Authors: Chris Clark <cclark[at]isecpartners[dot]com> 
         Rachel Engel <rachel[at]isecpartners[dot]com>

Vendor notified: Yes
Public release: 10/10/08
Advisory URL: https://www.isecpartners.com/advisories/2008-02-lenovornr.txt

Summary: 
-------- 
Lenovo Rescue and Recovery monitors system changes and enables users to
quickly restore their systems in the event of failure. One component
of the Rescue and Recovery system is a file system filter driver which
monitors new file writes/reads.

There is a heap overflow in the file system filter kernel driver which
could allow an attacker to overwrite kernel memory leading to elevation
of privilege.

Details:
--------
The tvtumon.sys driver serves as a file system filter driver which
monitors for file creation or changes. Recent lookups are cached within
a kernel lookaside list. If an overly long filename is passed through
the filesystem, then a buffer within the lookaside list will overflow,
leading to kernel memory corruption.

A low privileged user can trigger this corruption from user mode and
potentially escalate privileges to act as part of the kernel. In the
(unlikely) event that a web browser plugin allows opening of long
filenames, there is a chance the corruption could be triggered through a
web page.

Fix Information:
----------------
Lenovo has issued a patch and advisory:

http://www-307.ibm.com/pc/support/site.wss/MIGR-70699.html 
http://www-307.ibm.com/pc/support/site.wss/MIGR-4Q2QAK.html 


Thanks to:
----------
Dave Challener, Derek Callaway, Troy Bollinger


About iSEC Partners:
--------------------
iSEC Partners is a full-service security consulting firm that provides
penetration testing, secure systems development, security education and
software design verification, with offices in San Francisco, Seattle,
and Ewa Beach.

https://www.isecpartners.com
info@xxxxxxxxxxxxxxxx

Prev by Date: [LC-2008-04] Nokia Browser Array Sort Denial Of Service Vulnerability
Next by Date: CA BrightStor ARCServe BackUp Message Engine Remote Command Injection Vulnerability
Previous by thread: [LC-2008-04] Nokia Browser Array Sort Denial Of Service Vulnerability
Next by thread: CA BrightStor ARCServe BackUp Message Engine Remote Command Injection Vulnerability
Index(es):
- Date
- Thread