Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:20695
HistoryOct 14, 2008 - 12:00 a.m.

iSEC Partners Security Advisory - 2008-002-lenovornr - Lenovo Rescue and Recovery 4.20

2008-10-1400:00:00
vulners.com
19
JSON

iSEC Partners Security Advisory - 2008-002-lenovornr
https://www.isecpartners.com

Lenovo Rescue and Recovery Local Kernel Overflow

Vendor: Lenovo
Vendor URL: http://www.lenovo.com
Versions affected: 4.20
Systems Affected: Windows XP, Windows Vista
Severity: Medium (Local Privilege Escalation)
Authors: Chris Clark <cclark[at]isecpartners[dot]com>
Rachel Engel <rachel[at]isecpartners[dot]com>

Vendor notified: Yes
Public release: 10/10/08
Advisory URL: https://www.isecpartners.com/advisories/2008-02-lenovornr.txt

Summary:

Lenovo Rescue and Recovery monitors system changes and enables users to
quickly restore their systems in the event of failure. One component
of the Rescue and Recovery system is a file system filter driver which
monitors new file writes/reads.

There is a heap overflow in the file system filter kernel driver which
could allow an attacker to overwrite kernel memory leading to elevation
of privilege.

Details:

The tvtumon.sys driver serves as a file system filter driver which
monitors for file creation or changes. Recent lookups are cached within
a kernel lookaside list. If an overly long filename is passed through
the filesystem, then a buffer within the lookaside list will overflow,
leading to kernel memory corruption.

A low privileged user can trigger this corruption from user mode and
potentially escalate privileges to act as part of the kernel. In the
(unlikely) event that a web browser plugin allows opening of long
filenames, there is a chance the corruption could be triggered through a
web page.

Fix Information:

Lenovo has issued a patch and advisory:

http://www-307.ibm.com/pc/support/site.wss/MIGR-70699.html
http://www-307.ibm.com/pc/support/site.wss/MIGR-4Q2QAK.html

Thanks to:

Dave Challener, Derek Callaway, Troy Bollinger

About iSEC Partners:

iSEC Partners is a full-service security consulting firm that provides
penetration testing, secure systems development, security education and
software design verification, with offices in San Francisco, Seattle,
and Ewa Beach.

https://www.isecpartners.com
[email protected]

JSON