Lenovo LSE, WPBT and wpbbin.exe

UPDATE: See-also:
https://firmwaresecurity.com/2015/08/16/wpbt-attacks-from-the-past-alex-at-syscan12/
https://firmwaresecurity.com/2015/08/14/whats-the-next-built-in-acpi-attack/
https://firmwaresecurity.com/2015/08/13/us-cert-lenovo-service-engine-lse-bios-vulnerability/
https://firmwaresecurity.com/2015/08/12/lenovo-service-engine/

An interesting find, potentialy scary if misused. See the Ars Technical and YCombinator stories for discovery. What is Windows’ ‘wpbbin.exe’, and how/when is it used? There’s one reference to it on Microsoft.com in a DOC related to WPBT, the Windows Platform Binary Table. From one document no longer on the Microsoft web site (saved in Google cache, found on the Ars article):

A rich set of tools exist to aid Windows provisioning, ranging from driver injection and offline registry management to sysprep imaging tools.  However, there is a small set of software where the tools are not enough.  The software is absolutely critical for the execution of Windows but for one reason or another, the vendor is unable to distribute the software to every provisioning entity.  This paper describes a mechanism for a platform, via the boot firmware, to publish a binary to Windows for execution.  The mechanism leverages a boot firmware component to publish a binary in physical memory described to Windows using a fixed ACPI table. The information provided here was originally published in conjunction with the availability of Windows 8. The guidance and requirements to use WPBT functionality has been updated for the Windows 10 timeframe.

https://www.google.com/?gws_rd=ssl#q=wpbbin.exe+site:microsoft.com
http://arstechnica.com/civis/viewtopic.php?p=29497693&sid=ddf3e32512932172454de515091db014#p29497693
https://news.ycombinator.com/item?id=10039870
https://lkml.org/lkml/2015/5/20/1155
https://www.microsoft.com/en-us/download/details.aspx?id=38405

Found while researching the above: Lenovo has security updates for LSE:

LEN 2015-077: Lenovo Service Engine (LSE) BIOS for Desktop
LEN-2015-020: Lenovo Service Engine (LSE) BIOS for Notebook

Lenovo Security Advisory: LEN-2015-020
Potential Impact: Privilege Escalation
Severity: High
Summary: Vulnerabilities have been identified in the Lenovo Service Engine (LSE). Lenovo has released a BIOS update to disable Lenovo Service Engine and a utility to remove services and files left on the system for systems running Windows 7, 8, 8.1 and 10. See below for a full list of notebook systems with LSE installed. 

https://support.lenovo.com/us/en/product_security/lse_bios_notebook
https://support.lenovo.com/us/en/product_security

3 thoughts on “Lenovo LSE, WPBT and wpbbin.exe

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s