MSI Utility Vulnerability Based on Missing Quotation Marks

  /     /     /  
Publicated : 23/11/2024   Category : security


MSI Utility Vulnerability Based on Missing Quotation Marks


The lack of quotation marks in the way a service called an application left MSI computers open to persistent privilege escalation attacks.



Micro-Star International (MSI), a computer manufacturer that claims as much as 15% of the gaming laptop market, ships a utility called TrueColor with its systems. Earlier this year, a researcher with Triox found a problem with TrueColor — a missing pair of characters that would allow a malicious actor to execute arbitrary applications and gain system persistence at a very high privilege level. And while the vulnerability has been patched, the factors that allow it to exist remain for every Windows system.
Uriel Kosayev, CTO of Triox, says that
he and his research team
were looking into vulnerabilities that might exist in drivers and utilities. I have an MSI computer and decided to research my own computer, he explains. I found this strange service and through my research found that it could be exploited for persistence and other purposes.
Within Windows, the class of vulnerability he found is called the Unquoted Service Path” vulnerability. When a utility or service calls an application in its launch parameters, the full pathname of the application is provided. The pathname can either be inside quotation marks or not. And that is the root cause of the vulnerability.
If the service or utility calls the application within quotation marks, then only that specific pathname can be called. If no quotation marks are used, however, any executable can be substituted — and it gets worse. Any change in the executable called is persistent, remaining in place through reboots and resets. And it executes at the privilege level of the service, which is often at administration level during the boot process.
As Kosayev explains, Its easy to exploit, and its critical because it gives you persistence on the computer. Its also an issue in a highly privileged account. If attackers know the problem, they can exploit it widely. Kosayev submitted the vulnerability to Mitre and a CVE (
CVE-2020-8842
) was issued.
Fortunately, the patch was straightforward. To fix the problem, MSI needed only to add the quotation marks around the path, Kosayev says.
According to the timeline presented in a
blog post
on the vulnerability, Triox notified MSI of the vulnerability on February 23 and a patch was issued on April 4. Contacting MSI to tell them about the vulnerability was somewhat challenging, Kosayev says, because the company doesnt have a dedicated vulnerability reporting channel or bug bounty program.
When I explained the problem, it took about 20 days to patch the problem, Kosayev says, continuing, I think they need an official bounty program like other companies, but in the end, they did patch the problem.
Related content:
Apple iOS Zero-Day Vulnerabilities Exploited in Targeted Attacks
11 Tips for Protecting Active Directory While Working from Home
Learning from the Honeypot: A Researcher and a Duplicitous Docker Image
Youre One Misconfiguration Away from a Cloud-Based Data Breach
How Enterprises Are Attacking the Cybersecurity Problem - 2019
State of Cybersecurity Incident Response
Check out
The Edge
, Dark Readings new section for features, threat data, and in-depth perspectives. Todays featured story:
5 Ways to Prove Securitys Worth in the Age of COVID-19

 

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
MSI Utility Vulnerability Based on Missing Quotation Marks