New exploits have been published for flaws in Lenovo Solution Center, Toshiba Service Station and Dell System Detect. CERT said that the the Lenovo Solution Center application contains multiple vulnerabilities that can allow an attacker to execute arbitrary code with SYSTEM privileges.

"We are urgently assessing the vulnerability report and will provide an update and applicable fixes as rapidly as possible, "the Lenovo said.

Launching the Lenovo Solution Center creates a process called LSCTaskService, which runs with SYSTEM privileges. This process runs an HTTP daemon on port 55555, which allows HTTP GET and POST requests to execute methods in the LSCController.dll module. According to CERT, this component includes a number of unsafe methods, including RunInstaller, which is designed to execute arbitrary code from the %APPDATA%\LSC\Local Store directory. This directory is created for each user that logs in to an affected system. The user can write to this directory, regardless of whether the account has administrative privileges on the system. This vulnerability can allow a standard local user to execute arbitrary code with SYSTEM privileges.

Due to a directory traversal vulnerability, Lenovo Solution Center allows an attacker to execute code that resides in an arbitrary location on the drive where user profile directories exist. If an attacker can place arbitrary code in a predictable location on a vulnerable system, this can allow for arbitrary code execution with SYSTEM privileges.

The LSCTaskService component of Lenovo Solution Center contains a CSRF vulnerability. This vulnerability allows web content hosted by any domain to successfully execute requests using the vulnerable service. The CSRF vulnerability in Lenovo Solution Center allows a malicious or compromised web site to be able to cause code execution with SYSTEM privileges on an affected Lenovo system.

By convincing a user who has launched the Lenovo Solution Center to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with SYSTEM privileges. Additionally, a local user can execute arbitrary code with SYSTEM privileges.

To remove the potential risk posed by this vulnerability, users can uninstall the Lenovo Solution Center application using the add / remove programs function.

Slipstream has also published proof-of-concept exploits for two other, lower-impact, vulnerabilities -- one in the Toshiba Service Station and one in Dell System Detect (DSD), a tool that users are prompted to install when they click the "Detect Product" button on Dell's support website.

The Toshiba Service Station application creates a service called TMachInfo that runs as SYSTEM and receives commands via UDP port 1233 on the local host. One of those commands is called Reg.Read and can be used to read most of the Windows registry with system privileges

The flaw in DSD apparently stems from the way Dell attempted to fix a previous vulnerability. According to slipstream, the company implemented RSA-1024 signatures to authenticate commands, but put them in a place on its website where attackers can obtain them.

These can be used as a crude bypass method for Windows' User Account Control (UAC). In this context, the bypass means that "if DSD isn't elevated, we annoy the user with elevation requests until they click yes," Slipstream said.

Toshiba and Dell have not provided any comment yet.