By exploiting a flaw in the way MSI Center handles permissions, a malicious actor can manipulate the filesystem and trick the software into overwriting or deleting critical files with elevated privileges. In this way, the attacker can take control of the system and perform any action, including installing malware, stealing sensitive data, or even executing arbitrary code with the highest level of privileges. All of this is done through the abuse of symlinks (symbolic links) used to deceive the operating system.
All versions of MSI Center up to and including 2.0.36.0 are vulnerable to this attack. This means that a significant number of Windows systems could be exposed to this serious threat.
Exploitation Steps
The vulnerability can be exploited through the following steps:
- Create an OpLock Directory: A low-privileged user creates a directory in an accessible location and, in turn, creates a file inside it. Next, the user uses a system tool to set an OpLock (Mandatory Locking) on the previously created file. An OpLock prevents other processes from accessing or modifying the file until the lock is released.
- Activation of the write operation via MSI Center: The “Export System Information” function in MSI Center is used to trigger a write operation to the OpLocked file.
- Replacing the original file with a symbolic link: As MSI Center attempts to write to the OpLocked file, the attacker replaces it with a symbolic link that points to the desired target file (e.g., a critical system file).
- Taking advantage of MSI Center’s High Privileges: When MSI Center attempts to complete the write operation, it will be unable to access the original file due to the OpLock. However, due to the previously created symbolic link, MSI Center will write to or overwrite the target file pointed to by the link. Since MSI Center runs with NT AUTHORITY\SYSTEM privileges, the attacker gains complete control of the target file, potentially overwriting it with malicious code or deleting it altogether.
In summary, this vulnerability exploits the combination of OpLocks and symbolic links to trick MSI Center into performing high-privileged actions on an arbitrary target file. A low-privileged attacker can leverage this method to gain system control, install malware, steal sensitive data, or cause other severe damage.
Possible Abuses
This vulnerability opens the door to a number of serious consequences, including:
- Critical Files Compromise: An attacker can arbitrarily overwrite or delete high-privileged files, leading to potential irreparable damage to the operating system, applications, or sensitive data.
- Silent Malware Installation: An attacker can leverage privilege escalation to install malicious software without administrator privileges, compromising the security of all system users. Furthermore, the exploitation of MSI Center, a signed Windows binary, enables the bypass of security monitoring or antivirus tools. This technique of utilizing standard Windows binaries is known as Living-Off-The-Land (LOTL).
- Arbitrary Code Execution: An attacker can execute arbitrary code with SYSTEM privileges, gaining complete control over the system and potentially installing persistent backdoors or stealing critical data.
- System Startup Compromise: An attacker can place malicious payloads in startup locations, triggering them automatically upon administrator login, compromising the entire system.
MSI has addressed the vulnerability in MSI Center version 2.0.38.0, released on July 3, 2024. Immediate patching to this version is crucial to mitigate the risk. The CVE-2024-37726
