By Uriel Kosayev (@MalFuzzer) and Shay Rozen
Introduction
MSI (Micro-Star International) TrueColor utility comes as a pre-installed utility program on MSI gaming laptops that are used widely around the world and can be also freely downloaded from the official MSI website. This vulnerability can be exploited by an attacker during the post-exploitation phase in order to achieve privilege escalation and persistence, by using the technique of implanting an arbitrary unsigned executable which is executed by a signed service that runs with the NT AUTHORITY\SYSTEM privileges on the victim machine.
The Vulnerability
In the Windows operating system, service is susceptible to “Unquoted Service Path” vulnerability if the executable path is not wrapped with quotation marks. In this case, the Windows service dubbed as “MSITrueColorService” is executed with the “CreateProcessAsUserA” Windows API function as can be seen below:
The “CreateProcessAsUserA” Windows API function receives a number of parameters such as the “lpApplicationName” parameter that has a value of the executable name or the full path to the executable, and in this case, with no quotation marks which leads to this vulnerability.
To exploit such vulnerability, gain persistency, and escalate the privileges, an attacker needs to drop a payload in a path that has a spaced-name like “C:\Program {payload} Files” that will be executed after a computer or service is restarted, either through an administrative account or by abusing a service path that has insufficient permission so that any weak user with the “W” (write) permission, for instance, can drop a malicious payload to this path without the need of an administrative account. Below you can see Microsoft’s explanation of the “lpApplicationName” parameter that further explains this vulnerability:
In the screenshot below we can see that when the service of “MSITrueColorService” is started, our “Program.exe” payload is executed with the permission level of NT AUTHORITY\SYSTEM:
Proof of Concept Video
Disclosure Timeline
Feb. 10th, 2020 – Vulnerability reported to MITRE.
Feb. 23th, 2020 – Contacted MSI for further details and cooperation.
Mar. 2th, 2020 – Initial response from MSI headquarters.
Mar. 20th, 2020 – MITRE assigned CVE: CVE-2020-8842.
Apr. 4th, 2020 – MSI released the patch (version: 3.0.52.0).