Serious Vulnerability in Windows Systems: Here’s How an Attacker Can Gain Complete Control of Your PC

Alessio Stefan : 5 July 2024 08:25

A severe security vulnerability has been discovered in MSI Center, a widely used software on Windows systems. This flaw, classified as CVE-2024-37726 and with a CVSS score of 7.8 (high), allows a low-privileged attacker to gain complete control of the system.

Privilege escalation refers to an attack in which a user with limited privileges gains access with higher privileges, such as those of an administrator, without having the proper authorization. This can allow a malicious user to perform actions that would not normally be allowed.

CVE Details

La NIS2 è complessa da capire?
Non perdere tempo, segui l'anteprima gratuita del corso che stiamo preparando.Accedi quindi alla nostra Academy e segui l'anteprima del corso della durata di 30 minuti per comprendere i contenuti esclusivi che tratteremo nel corso.per ulteriori informazioni, scrivici ad [email protected] oppure scrivici su Whatsapp al 379 163 8765 

Supporta RHC attraverso:

• L'acquisto del fumetto sul Cybersecurity Awareness
• Seguendo RHC su WhatsApp
• Seguendo RHC su Telegram
• Scarica gratuitamente "Dark Mirror", il report sul ransomware di Dark Lab

Ti piacciono gli articoli di Red Hot Cyber? Non aspettare oltre, iscriviti alla newsletter settimanale per non perdere nessun articolo

By exploiting a flaw in the way MSI Center handles permissions, a malicious actor can manipulate the filesystem and trick the software into overwriting or deleting critical files with elevated privileges. In this way, the attacker can take control of the system and perform any action, including installing malware, stealing sensitive data, or even executing arbitrary code with the highest level of privileges. All of this is done through the abuse of symlinks (symbolic links) used to deceive the operating system.

All versions of MSI Center up to and including 2.0.36.0 are vulnerable to this attack. This means that a significant number of Windows systems could be exposed to this serious threat.

The vulnerability can be exploited through the following steps:

1. Create an OpLock Directory = A low-privileged user creates a directory in an accessible location and, in turn, creates a file inside it. Next, the user uses a system tool to set an OpLock (Mandatory Locking) on the previously created file. An OpLock prevents other processes from accessing or modifying the file until the lock is released.
2. Activation of the write operation via MSI Center = The “Export System Information” function in MSI Center is used to trigger a write operation to the OpLocked file.
3. Replacing the original file with a symbolic link = As MSI Center attempts to write to the OpLocked file, the attacker replaces it with a symbolic link that points to the desired target file (e.g., a critical system file).
4. Taking advantage of MSI Center’s High Privileges = When MSI Center attempts to complete the write operation, it will be unable to access the original file due to the OpLock. However, due to the previously created symbolic link, MSI Center will write to or overwrite the target file pointed to by the link. Since MSI Center runs with NT AUTHORITY\SYSTEM privileges, the attacker gains complete control of the target file, potentially overwriting it with malicious code or deleting it altogether.

In summary, this vulnerability exploits the combination of OpLocks and symbolic links to trick MSI Center into performing high-privileged actions on an arbitrary target file. A low-privileged attacker can leverage this method to gain system control, install malware, steal sensitive data, or cause other severe damage.

Possible abuses

This vulnerability opens the door to a number of serious consequences, including:

1. Critical Files Compromise : An attacker can arbitrarily overwrite or delete high-privileged files, leading to potential irreparable damage to the operating system, applications, or sensitive data.
2. Silent Malware Installation : An attacker can leverage privilege escalation to install malicious software without administrator privileges, compromising the security of all system users. Furthermore, the exploitation of MSI Center, a signed Windows binary, enables the bypass of security monitoring or antivirus tools. This technique of utilizing standard Windows binaries is known as Living-Off-The-Land (LOTL).
3. Arbitrary Code Execution : An attacker can execute arbitrary code with SYSTEM privileges, gaining complete control over the system and potentially installing persistent backdoors or stealing critical data.
4. System Startup Compromise : An attacker can place malicious payloads in startup locations, triggering them automatically upon administrator login, compromising the entire system.

Conclusions

MSI has addressed the vulnerability in MSI Center version 2.0.38.0, released on July 3, 2024. Immediate patching to this version is crucial to mitigate the risk.

The CVE-2024-37726 vulnerability poses a severe threat to Windows systems using MSI Center. Updating to the latest version and implementing appropriate security measures is essential to mitigate the risk and protect systems from potential cyberattacks.

Alessio Stefan
Member of the Dark Lab group. Master's student of AI & Cybersecurity and CTF player with a passion for ethical hacking that has been with him since a young age. He spends his days immersed in studying and discovering new methods of attack with just the right amount of practice. Convinced that hacking is a culture he applies its principles not only in the digital world but also to daily life while waiting of turning his dedication into a career.