Micro-Star International (MSI), a computer manufacturer that claims as much as 15% of the gaming laptop market, ships a utility called "TrueColor" with its systems. Earlier this year, a researcher with Triox found a problem with TrueColor — a missing pair of characters that would allow a malicious actor to execute arbitrary applications and gain system persistence at a very high privilege level. And while the vulnerability has been patched, the factors that allow it to exist remain for every Windows system.
Uriel Kosayev, CTO of Triox, says that he and his research team were looking into vulnerabilities that might exist in drivers and utilities. "I have an MSI computer and decided to research my own computer," he explains. "I found this strange service and through my research found that it could be exploited for persistence and other purposes."
Within Windows, the class of vulnerability he found is called the "Unquoted Service Path” vulnerability. When a utility or service calls an application in its launch parameters, the full pathname of the application is provided. The pathname can either be inside quotation marks or not. And that is the root cause of the vulnerability.
If the service or utility calls the application within quotation marks, then only that specific pathname can be called. If no quotation marks are used, however, any executable can be substituted — and it gets worse. Any change in the executable called is persistent, remaining in place through reboots and resets. And it executes at the privilege level of the service, which is often at administration level during the boot process.
As Kosayev explains, "It's easy to exploit, and it's critical because it gives you persistence on the computer. It's also an issue in a highly privileged account. If attackers know the problem, they can exploit it widely." Kosayev submitted the vulnerability to Mitre and a CVE (CVE-2020-8842) was issued.
Fortunately, the patch was straightforward. "To fix the problem, MSI needed only to add the quotation marks around the path," Kosayev says.
According to the timeline presented in a blog post on the vulnerability, Triox notified MSI of the vulnerability on February 23 and a patch was issued on April 4. Contacting MSI to tell them about the vulnerability was somewhat challenging, Kosayev says, because the company doesn't have a dedicated vulnerability reporting channel or bug bounty program.
"When I explained the problem, it took about 20 days to patch the problem," Kosayev says, continuing, "I think they need an official bounty program like other companies, but in the end, they did patch the problem."
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "5 Ways to Prove Security's Worth in the Age of COVID-19"