Bloatware Hack: The Code Found In Support Software From Lenovo, Toshiba, And Dell PC Manufacturers

This is really getting ridiculous now. Proof-of-concept code capable of exploiting bloatware bugs in Dell, Toshiba and Lenovo PCs put millions of users at risk of being hacked. Security flaw pile up in support applications pre-installed by computer manufacturers. How to discover and get rid of it?

Explained as, if you have a Lenovo PC which came withthe Lenovo Solution Center app pre-installed (versions 3.1.004 and below), a Dell computer and came with Dell System Detect software versions and below, or having hands-on with Toshiba with the Service Station app (versions 2.6.14 or below), then your PC is at a big and I mean huge risk.

Vulnerabilities have been discovered in technical support applications installed on PCs by aforementioned manufacturers keeps piling up. New exploits have been published for flaws in all the three: Lenovo Solution Center, Toshiba Service Station and Dell System Detect.

The most serious flaws appear to be in Lenovo, could allow a malicious Web page to execute code on its Windows-based computers with system privileges. Flaws discovered by a hacker who uses the online aliases slipstream and RoL and released a proof-of-concept exploit for them last week. This prompted the CERT Coordination Center at Carnegie Mellon University to publish a security advisory.

According to that, it doesn’t matter what you are logged in as – even a less risky Windows User Account instead of an administrator account, because the vendors’ preinstalled bloatware on Dell, Lenovo and Toshiba machines run with full system privileges giving attackers keys to your personal digital kingdom.

One of the issues is caused by the LSCTaskService, which is created by the Lenovo Solution Center and runs with SYSTEM privileges. This service opens an HTTP daemon on port 55555 that can receive commands. One of those commands is called RunInstaller and executes files placed in the %APPDATA%\LSC\Local Store folder.”

Any local user can write to this directory, but the files are executed as athe SYSTEM account, and a restricted user can exploit the logic flaw to gain full system access. One in Dell System Detect (DSD), a tool that users are prompted to install when they click the “Detect Product” button on Dell’s support website.

The Toshiba Service Station application creates a service called TMachInfo that runs as SYSTEM and receives commands via UDP port 1233 on the local host. Called Reg.Read and can be used to read most of the Windows registry with system privileges, according to the hacker.

The flaw in DSD apparently stems from the way Dell attempted to fix a previous vulnerability. According to slipstream, the company implemented RSA-1024 signatures to authenticate commands, but put them in a place on its website where attackers can obtain them. These can be used as a crude bypass method for Windows’ User Account Control (UAC).