Lenovo ThinkPad zero-day bypasses Windows security

A researcher has discovered a new low-level zero-day exploit that overrides the protection for the firmware code in Lenovo ThinkPads and other laptops, bypassing hardware and Windows security features.

ThnkPwn in action on a Lenovo ThinkPad. Source: Dmytro Oleksiuk.

Last week, Dmytro Oleksiuk, also known as cr4sh, released the code for his ThnkPwn proof of concept on Github, showing how it can be used to exploit a flaw in the unified extensible firmware interface (UEFI) driver for privilege escalation.

This lets attackers remove the write protection for system flash memory, and allows them to run arbitrary code with full access to the entire victim system.

Lenovo had not received advance notification of the vulnerability, making the exploit a zero-day with no mitigation available.

Oleksiuk said the vulnerability in Lenovo's firmware, old and new versions, allows arbitrary system management mode (SMM) code execution on several of the Chinese PC giant's computers.

"Exploitation of this vulnerability may lead to the flash write protection bypass, disabling of UEFI Secure Boot, Virtual Secure Mode and Credential Guard bypass in Windows 10 Enterprise and other evil things," Oleksiuk wrote.

He found a "suspicious" SMM callback function in the Lenovo firmware when analysing the code and speculated it might be an intentional backdoor. The code does nothing apart from calling an arbitrary function, and Oleksiuk claimed there was no reason to have such a thing in the firmware.

Oleksiuk said he did not alert Lenovo to the vulnerability prior to making it public because it is highly unlikely for it to be exploited in the wild.

There are no patches for the vulnerability. Oleksiuk said the exploit, in theory, would work on other machines than those made by Lenovo.