Lenovo LSE, WPBT and wpbbin.exe

~ hucktech

UPDATE: See-also:

WPBT attacks from the past: Alex at SyScan12

What’s the next built-in ACPI attack?

US-CERT: Lenovo Service Engine (LSE) BIOS Vulnerability

Lenovo Service Engine

An interesting find, potentialy scary if misused. See the Ars Technical and YCombinator stories for discovery. What is Windows’ ‘wpbbin.exe’, and how/when is it used? There’s one reference to it on Microsoft.com in a DOC related to WPBT, the Windows Platform Binary Table. From one document no longer on the Microsoft web site (saved in Google cache, found on the Ars article):

A rich set of tools exist to aid Windows provisioning, ranging from driver injection and offline registry management to sysprep imaging tools.  However, there is a small set of software where the tools are not enough.  The software is absolutely critical for the execution of Windows but for one reason or another, the vendor is unable to distribute the software to every provisioning entity.  This paper describes a mechanism for a platform, via the boot firmware, to publish a binary to Windows for execution.  The mechanism leverages a boot firmware component to publish a binary in physical memory described to Windows using a fixed ACPI table. The information provided here was originally published in conjunction with the availability of Windows 8. The guidance and requirements to use WPBT functionality has been updated for the Windows 10 timeframe.

https://www.google.com/?gws_rd=ssl#q=wpbbin.exe+site:microsoft.com
http://arstechnica.com/civis/viewtopic.php?p=29497693&sid=ddf3e32512932172454de515091db014#p29497693
https://news.ycombinator.com/item?id=10039870
https://lkml.org/lkml/2015/5/20/1155
https://www.microsoft.com/en-us/download/details.aspx?id=38405

Found while researching the above: Lenovo has security updates for LSE:

LEN 2015-077: Lenovo Service Engine (LSE) BIOS for Desktop
LEN-2015-020: Lenovo Service Engine (LSE) BIOS for Notebook

Lenovo Security Advisory: LEN-2015-020
Potential Impact: Privilege Escalation
Severity: High
Summary: Vulnerabilities have been identified in the Lenovo Service Engine (LSE). Lenovo has released a BIOS update to disable Lenovo Service Engine and a utility to remove services and files left on the system for systems running Windows 7, 8, 8.1 and 10. See below for a full list of notebook systems with LSE installed. 

https://support.lenovo.com/us/en/product_security/lse_bios_notebook
https://support.lenovo.com/us/en/product_security

Published by hucktech