MSI TrueColor Unquoted Service Path Vulnerability

(CVE-2020-8842)

Introduction

TRIOX security research team, led by Uriel Kosayev and Shay Rozen, discovered a new privilege escalation and persistence vulnerability on the MSI TrueColor utility Windows service.

MSI (Micro-Star International) TrueColor utility comes as a pre-installed utility program on MSI gaming laptops that are used widely around the world and can be also freely downloaded from the official MSI website. This vulnerability can be exploited by an attacker during the post-exploitation phase in order to achieve privilege escalation and persistence, by using the technique of implanting an arbitrary unsigned executable which is executed by a signed service that runs with the NT AUTHORITY\SYSTEM privileges on the victim machine.

The Vulnerability

In the Windows operating system, a service is susceptible to “Unquoted Service Path” vulnerability if the executable path is not wrapped with quotation marks. In this case, the Windows service dubbed as “MSITrueColorService” is executed with the “CreateProcessAsUserA” Windows API function as can be seen below:

CreateProcessAsUser - TRIOX Research

 

The “CreateProcessAsUserA” Windows API function receives number of parameters such as the “lpApplicationName” parameter that has a value of the executable name or the full path to the executable, and in this case, with no quotation marks which leads to this vulnerability.

To exploit such vulnerability, gain a persistency and escalating the privileges, an attacker needs to drop a payload in a path that has a spaced-name like “C:\Program {payload} Files” that will be executed after a computer or service is restarted, either through an administrative account, or by abusing a service path that has an insufficient permissions so that any weak user with the “W” (write) permission for instance can drop a malicious payload to this path without the need of an administrative account. Below you can see Microsoft’s explanation of the “lpApplicationName” parameter that further explains this vulnerability:

LpApplicationName msdn - TRIOX Research

 

In the screenshot below we can see that when the service of “MSITrueColorService” is started, our “Program.exe” payload is executed with the permission level of: NT AUTHORITY\SYSTEM:

Procmon MSI - TRIOX Research

 

Proof of Concept Video

 

Disclosure Timeline

Feb. 10th, 2020 – Vulnerability reported to MITRE.

Feb. 23th, 2020 – Contacted MSI for further details and cooperation.

Mar. 2th, 2020 – Initial response from MSI headquarters. 

Mar. 20th, 2020 – MITRE assigned CVE: CVE-2020-8842.

Apr. 4th, 2020 – MSI released the patch (version: 3.0.52.0).

 

Contact us for more details about our advanced professional services: