Explore the vulnerabilities found in MSI Center and understand how they can lead to system privileges. Learn about the process and implications.
As the gaming industry continues to evolve, so do the software tools that enhance our experience. One such tool, MSI Center, comes pre-installed on many MSI laptops and desktops. However, behind its gaming prowess lies a significant security ai-driven-world/">vulnerability that could allow unauthorized users to gain SYSTEM privileges almost instantly.
In this investigative article, we will explore how these vulnerabilities were discovered, the implications they hold for users, and what steps MSI is taking to mitigate the risk.
After delving into security flaws in various OEM software from companies like AMD and ASUS, it was a natural progression to investigate MSI Center. Given its broad installation base, a vulnerability in this software could affect countless devices. The quest began with identifying a robust method to examine the software for potential weaknesses.
The first task was to download the offline installer of MSI Center. This is a critical step as many companies restrict software installation on unsupported hardware. Once obtained, the next phase involved running the installer through a tool called Detect-It-Easy to identify how MSI Center is packaged.
Fortunately, the analysis revealed that MSI Center is using Inno Setup packaging. Armed with this knowledge, I employed a specialized tool called innoextract. This tool enabled the extraction of the installer and the contained .appxbundle, which is simply a .zip file in disguise.
The extracted package contained numerous executables, about 170 in total, including dynamic link libraries (DLLs). A majority of these files were created using C#. To efficiently analyze these, I developed a bash script utilizing ilspycmd for decompilation. The resulting code offered a wealth of information but also presented a daunting amount of data for manual review.
Therefore, I shifted my strategy towards searching for common security vulnerabilities. One of the primary targets was the CreateNamedPipe function, which enables communication between various processes on a computer.
Within MSI’s Notebook Foundation service, upon bootup, a named pipe is created that grants every authenticated user access. The critical command sequence here was:
CreateNativePipeSecurity("D:(A;OICI;GRGW;;;AU)(A;OICI;GA;;;BA)");
CreateNamedPipe("\\.\pipe\MSI_SERVICE_2", PIPE_ACCESS_DUPLEX);
This command grants a significant level of access, exposing users to potential exploitation.
The privileges associated with these named pipes are alarmingly permissive. They can be manipulated by malware to disable essential security features like Windows Defender or even elevate user privileges without administrative rights.
A point of concern is MSI's historical reliance on security by obscurity. By encrypting communication with a dated cipher, 3DES, they have opened a gateway for potential exploitation. During my testing phase, I was able to create a Proof of Concept (PoC) that simply launched cmd.exe to illustrate that privilege escalation is indeed feasible.
Moreover, I found that this vulnerability could also be exploited remotely via SMB on a local area network (LAN). However, this would require valid login credentials for successful exploitation. It poses a significant risk if attackers get hold of user credentials.
After uncovering this critical vulnerability, my next step was to report it to MSI. I contacted their Product Security Incident Response Team (PSIRT) via email. However, to my dismay, I received an automated response indicating that their mailbox was full and unable to accept more submissions.
This raised serious concerns about their vulnerability management processes, as it suggested potential delays in addressing security issues reported by researchers. With the intent to escalate the matter, I reached out to industry contacts, including Steve Burke from Gamers Nexus, to find the right channels to communicate with MSI.
Fortunately, my initial report did make it to MSI eventually, and their response was prompt. Within just two days, MSI prepared a patch to address the vulnerability. They informed me of the version that would encapsulate the fix and the planned release date.
However, MSI’s inability to assign a CVE to this vulnerability was concerning. They advised me to request one through MITRE or an external Coordinating National Authority (CNA). At the moment of writing, my submission is still under review by VulDB, which noted that the approval process may take about four weeks due to an influx of new reports.
Notably, despite these findings and extensive communications regarding vulnerabilities with various companies, my efforts have yet to result in any financial rewards through bug bounties.
The vulnerabilities found in MSI Center highlight significant security gaps and raise questions about the robustness of pre-installed software across the gaming ecosystem. As digital threats continue to evolve, it is essential for companies to prioritize security measures in their products.
MSI's proactive response to the reported vulnerabilities signifies a positive step towards enhancing user security, but it is crucial for all companies in this domain to take similar actions. As technology advances, the necessity for thorough vulnerability assessments is pivotal to safeguarding users.
For those interested in the nuances of security in gaming software and beyond, please consider supporting my work through my Ko-fi page: https://ko-fi.com/mrbruhh.