ID

VAR-E-201606-0225

EDB ID

40040

TITLE

Lenovo ThinkPad - System Management Mode Arbitrary Code Execution - Windows local Exploit

DESCRIPTION

Lenovo ThinkPad - System Management Mode Arbitrary Code Execution.. local exploit for Windows platform

AFFECTED PRODUCTS

EXPLOIT

Source: https://github.com/Cr4sh/ThinkPwn

Lenovo ThinkPad System Management Mode arbitrary code execution exploit

***************************************************************************

For more information about this project please read the following article:

http://blog.cr4.sh/2016/06/exploring-and-exploiting-lenovo.html

This code exploits 0day privileges escalation vulnerability (or backdoor?) in SystemSmmRuntimeRt UEFI driver (GUID is 7C79AC8C-5E6C-4E3D-BA6F-C260EE7C172E) of Lenovo firmware. Vulnerability is present in all of the ThinkPad series laptops, the oldest one that I have checked is X220 and the neweset one is T450s (with latest firmware versions available at this moment). Running of arbitrary System Management Mode code allows attacker to disable flash write protection and infect platform firmware, disable Secure Boot, bypass Virtual Secure Mode (Credential Guard, etc.) on Windows 10 Enterprise and do others evil things.

Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/40040.zip

EXPLOIT LANGUAGE

txt

PRICE

free

TYPE

System Management Mode Arbitrary Code Execution

CREDITS

Cr4sh

EXTERNAL IDS

REFERENCES

SOURCES

LAST UPDATE DATE

2022-07-27T09:54:06.564000+00:00

SOURCES RELEASE DATE