Xlab · 2015/11/05 he
[email protected]
0 x00 preface
WormHole is the result of a class of insecure development habits, and it is not uncommon for a PC to experience similar problems, but many of the risks are mitigated by Microsoft’s default built-in firewall. Hopefully, this article and the many discussions about WormHole have raised the security awareness of some developers.
The problem described below can have consequences very similar to those of WormHole: affecting hundreds of millions of users, accessing a port and sending a single command can cause the target system to download and execute a program.
The issue was fixed on September 29, 2015. Before the repair, it was found in all ThinkPads, ThinkCentres, ThinkStations and Lenovo V/B/K/E series computers with Windows pre-installed.
0 x01 background
Lenovo ThinkVantage System Update software is used to help users download and install software, drivers and BIOS updates directly from Lenovo’s server, greatly simplifying the difficulty and workload of users to Update the System. It is pre-installed by default in many Lenovo products.
Lenovo System Update can download software and updates in a variety of ways, depending on the network environment and configuration. One way is through file sharing, and uncServer. exe is the main program for this function. Uncserver. exe is started with the System Update main program, and the local server is set up to wait for the main program to connect. In earlier versions, uncServer.exe remained running even after the System Update main program exited.
0x02 Fault Description
In System Update 5.6.0.34, uncServer.exe passes. NET Remoting mechanism, through the TCP server to provide a variety of functions.
.NET Remoting, which evolved from DCOM, is one of the older ones. NET distributed processing technology. It serializes the objects and data of the server and exports them. The client realizes the reference of the server objects across the process boundary through HTTP, TCP, AND IPC channels. However, Remoting’s serialization mechanism implicitly exports all the methods and properties of the object. Once a client obtains a reference to the exported object from the server, it can invoke all the methods provided by the server object. Therefore, Remoting is vulnerable to security vulnerabilities, and it is not recommended to export Remoting service terminals to untrusted clients.
The Connector exported by UNCServer provides Connect, DownloadBean, IsFileExist, IsFolderExist, GetFilesInFolder, GetSubFolder, QueryFile, and LaunchIE Function. The client can connect and obtain the output object for file download and application execution.
LaunchIE does not validate any parameters and can be used to start any process.
case UNCAction.LaunchIE:
string fileName = (string) eventObj;
try{
Process.Start(fileName);
}
catch{
}
this.connector.Current = (object) true;
break;
Copy the codeAt the same time, although the System Update adds only the outbound rule for UNCServer to the firewall policy, UNCServer lacks the necessary configuration to bind to 0.0.0.0:20050. So, without firewall protection, any machine can connect to it and use its DownloadBean and LaunchIE features to download and execute programs remotely.
UNCServer establishes the server channel and exports the object as follows:
IDictionary properties = (IDictionary) new Hashtable();
properties[(object) "name"] = (object) "tvsuuncchannel";
properties[(object) "priority"] = (object) 2;
properties[(object) "port"] = (object) 20050;
this.channel = new TcpServerChannel(properties, (IServerChannelSinkProvider) new BinaryServerFormatterSinkProvider());
ChannelServices.RegisterChannel((IChannel) this.channel, false);
this.status = new object();
this.connector = new Connector();
RemotingServices.Marshal((MarshalByRefObject) this.connector, "Connector");
this.connector.UNCEvent += new Connector.UNCEventHandler(this.connector_UNCEvent);
Copy the code0 x03 repair
System Update 5.7.0.13 released by Lenovo on 9/9/29, 2015 fixed several vulnerabilities including this issue. The LaunchIE and LaunchHelp functions are reimplemented, and the parameters of its creation process are verified. The server configuration is strengthened to bind to 127.0.0.1:20050 to prevent remote requests. The fixed part of the code is as follows:
case UNCAction.LaunchIE: try{ tring str = (string) eventObj; Uri result; if (Uri.TryCreate(str, UriKind.Absolute, out result) && (result.Scheme == Uri.UriSchemeHttp || result.Scheme == Uri.UriSchemeHttps)) Process.Start(str); } catch{ } this.connector.Current = (object) true; break; IDictionary properties = (IDictionary) new Hashtable(); properties[(object) "name"] = (object) "tvsuuncchannel"; properties[(object) "priority"] = (object) 2; properties[(object) "port"] = (object) 20050; properties[(object) "rejectRemoteRequests"] = (object) true; Properties [(object) "bindTo"] = (object) "127.0.0.1"; this.channel = new TcpServerChannel(properties, (IServerChannelSinkProvider) new BinaryServerFormatterSinkProvider()); ChannelServices.RegisterChannel((IChannel) this.channel, false); this.status = new object(); this.connector = new Connector(); RemotingServices.Marshal((MarshalByRefObject) this.connector, "Connector"); this.connector.UNCEvent += new Connector.UNCEventHandler(this.connector_UNCEvent);Copy the code0 x04 summary
Remoting as a previous generation. NET distributed processing technology has long been replaced by Microsoft’S WCF technology due to security flaws at design time. If your application is still using Remoting for distributed processing or communication, you should be aware of potential security issues that could introduce security vulnerabilities.