A privilege elevation bug in the ImControllerService service in Lenovo laptops, including ThinkPad and Yoga models, allows attackers to execute commands with admin privileges. The issues are identified as CVE-2021-3922 and CVE-2021-3969, and they impact all Lenovo System Interface Foundation versions below 1.1.20.3’s ImControllerService component. The display name of this service on the Windows services panel is “System Interface Foundation Service.”
Lenovo System Interface Foundation includes the service, allowing Lenovo devices to interface with universal apps like Lenovo Companion, Lenovo Settings, and Lenovo ID. Several Lenovo models, including the Yoga and ThinkPad, come with the service preloaded.
The vulnerabilities were discovered by NCC Group researchers, who submitted their discoveries to Lenovo on October 29, 2021. The security upgrades were provided on November 17, 2021, and the related alert was posted on December 14, 2021.
ImController runs with SYSTEM rights since it needs to retrieve and install files from Lenovo servers, launch child processes, and conduct system setup and maintenance activities. SYSTEM privileges are the highest level of user rights in Windows, allowing you to run practically any command on the system. In Windows, gaining SYSTEM rights gives a user absolute control over the system, allowing them to install malware, add users, and alter practically any system configuration.
This Windows service will spawn more child processes, each of which will open named pipe servers for communication with the child process via the ImController service. When ImController wants to run a command through one of these services, it will connect to the designated pipe and send XML serialized commands to run.
Unfortunately, the service does not encrypt interactions between privileged child processes and does not verify the source of XML serialized commands. It implies that any other process, even malicious ones, can communicate with the child process and send directives. As a result, an attacker exploiting this security flaw can send an instruction to load a ‘plugin’ from any filesystem location.
“The first vulnerability is a race condition between an attacker and the parent process connecting to the child process’ named pipe,” explains NCC Group. “An attacker using high-performance filesystem synchronization routines can reliably win the race with the parent process to connect to the named pipe.”
The researchers emphasize that their proof-of-concept code is always connected to the identified pipe before the parent service, indicating that the attack is quite dependable. The second problem is a TOCTOU (time-of-check to time-of-use) vulnerability, which allows an attacker to block the loading of a verified ImControllerService plugin and replace it with a DLL of their choice.
The DLL is run after the lock is released, and the loading operation continues, resulting in privilege escalation. It is recommended that all Windows users using Lenovo laptops or desktops running ImController version 1.1.20.2 or older upgrade to the most recent version available (1.1.20.3).