Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Search

Serious Vulnerability in Windows Systems: Here’s How an Attacker Can Gain Complete Control of Your PC

Alessio Stefan : 5 July 2024 08:25

A severe security vulnerability has been discovered in MSI Center, a widely used software on Windows systems. This flaw, classified as CVE-2024-37726 and with a CVSS score of 7.8 (high), allows a low-privileged attacker to gain complete control of the system.

Privilege escalation refers to an attack in which a user with limited privileges gains access with higher privileges, such as those of an administrator, without having the proper authorization. This can allow a malicious user to perform actions that would not normally be allowed.

CVE Details

Iscriviti GRATIS alla RHC Conference 2025 (Venerdì 9 maggio 2025)

Il giorno Venerdì 9 maggio 2025 presso il teatro Italia di Roma (a due passi dalla stazione termini e dalla metro B di Piazza Bologna), si terrà la RHC Conference 2025. Si tratta dell’appuntamento annuale gratuito, creato dalla community di RHC, per far accrescere l’interesse verso le tecnologie digitali, l’innovazione digitale e la consapevolezza del rischio informatico.

La giornata inizierà alle 9:30 (con accoglienza dalle 9:00) e sarà interamente dedicata alla RHC Conference, un evento di spicco nel campo della sicurezza informatica. Il programma prevede un panel con ospiti istituzionali che si terrà all’inizio della conferenza. Successivamente, numerosi interventi di esperti nazionali nel campo della sicurezza informatica si susseguiranno sul palco fino alle ore 19:00 circa, quando termineranno le sessioni. Prima del termine della conferenza, ci sarà la premiazione dei vincitori della Capture The Flag prevista per le ore 18:00.
Potete iscrivervi gratuitamente all'evento utilizzando questo link.

Per ulteriori informazioni, scrivi a [email protected] oppure su Whatsapp al 379 163 8765


Supporta RHC attraverso:


Ti piacciono gli articoli di Red Hot Cyber? Non aspettare oltre, iscriviti alla newsletter settimanale per non perdere nessun articolo.

By exploiting a flaw in the way MSI Center handles permissions, a malicious actor can manipulate the filesystem and trick the software into overwriting or deleting critical files with elevated privileges. In this way, the attacker can take control of the system and perform any action, including installing malware, stealing sensitive data, or even executing arbitrary code with the highest level of privileges. All of this is done through the abuse of symlinks (symbolic links) used to deceive the operating system.

All versions of MSI Center up to and including 2.0.36.0 are vulnerable to this attack. This means that a significant number of Windows systems could be exposed to this serious threat.

The vulnerability can be exploited through the following steps:

  1. Create an OpLock Directory = A low-privileged user creates a directory in an accessible location and, in turn, creates a file inside it. Next, the user uses a system tool to set an OpLock (Mandatory Locking) on the previously created file. An OpLock prevents other processes from accessing or modifying the file until the lock is released.
  2. Activation of the write operation via MSI Center = The “Export System Information” function in MSI Center is used to trigger a write operation to the OpLocked file.
  3. Replacing the original file with a symbolic link = As MSI Center attempts to write to the OpLocked file, the attacker replaces it with a symbolic link that points to the desired target file (e.g., a critical system file).
  4. Taking advantage of MSI Center’s High Privileges = When MSI Center attempts to complete the write operation, it will be unable to access the original file due to the OpLock. However, due to the previously created symbolic link, MSI Center will write to or overwrite the target file pointed to by the link. Since MSI Center runs with NT AUTHORITY\SYSTEM privileges, the attacker gains complete control of the target file, potentially overwriting it with malicious code or deleting it altogether.

In summary, this vulnerability exploits the combination of OpLocks and symbolic links to trick MSI Center into performing high-privileged actions on an arbitrary target file. A low-privileged attacker can leverage this method to gain system control, install malware, steal sensitive data, or cause other severe damage.

Possible abuses

This vulnerability opens the door to a number of serious consequences, including:

  1. Critical Files Compromise : An attacker can arbitrarily overwrite or delete high-privileged files, leading to potential irreparable damage to the operating system, applications, or sensitive data.
  2. Silent Malware Installation : An attacker can leverage privilege escalation to install malicious software without administrator privileges, compromising the security of all system users. Furthermore, the exploitation of MSI Center, a signed Windows binary, enables the bypass of security monitoring or antivirus tools. This technique of utilizing standard Windows binaries is known as Living-Off-The-Land (LOTL).
  3. Arbitrary Code Execution : An attacker can execute arbitrary code with SYSTEM privileges, gaining complete control over the system and potentially installing persistent backdoors or stealing critical data.
  4. System Startup Compromise : An attacker can place malicious payloads in startup locations, triggering them automatically upon administrator login, compromising the entire system.

Conclusions

MSI has addressed the vulnerability in MSI Center version 2.0.38.0, released on July 3, 2024. Immediate patching to this version is crucial to mitigate the risk.

The CVE-2024-37726 vulnerability poses a severe threat to Windows systems using MSI Center. Updating to the latest version and implementing appropriate security measures is essential to mitigate the risk and protect systems from potential cyberattacks.

Alessio Stefan
Member of the Dark Lab group. Master's student of AI & Cybersecurity and CTF player with a passion for ethical hacking that has been with him since a young age. He spends his days immersed in studying and discovering new methods of attack with just the right amount of practice. Convinced that hacking is a culture he applies its principles not only in the digital world but also to daily life while waiting of turning his dedication into a career.

Lista degli articoli
Categories
Banner

Editorial board : [email protected]

Facebook Linkedin Youtube Telegram Twitter Pinterest Tumblr
Redhotcyber is an open-news project that was launched in 2019 and subsequently expanded into a network of individuals collaborating to disseminate information and topics focused on technology, Information Technology, and cybersecurity. Its goal is to increase risk awareness among an ever-growing number of people.