Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

MSI Utility Vulnerability Based on Missing Quotation Marks

The lack of quotation marks in the way a service called an application left MSI computers open to persistent privilege escalation attacks.

Micro-Star International (MSI), a computer manufacturer that claims as much as 15% of the gaming laptop market, ships a utility called "TrueColor" with its systems. Earlier this year, a researcher with Triox found a problem with TrueColor — a missing pair of characters that would allow a malicious actor to execute arbitrary applications and gain system persistence at a very high privilege level. And while the vulnerability has been patched, the factors that allow it to exist remain for every Windows system.

Uriel Kosayev, CTO of Triox, says that he and his research team were looking into vulnerabilities that might exist in drivers and utilities. "I have an MSI computer and decided to research my own computer," he explains. "I found this strange service and through my research found that it could be exploited for persistence and other purposes."

Within Windows, the class of vulnerability he found is called the "Unquoted Service Path” vulnerability. When a utility or service calls an application in its launch parameters, the full pathname of the application is provided. The pathname can either be inside quotation marks or not. And that is the root cause of the vulnerability.

If the service or utility calls the application within quotation marks, then only that specific pathname can be called. If no quotation marks are used, however, any executable can be substituted — and it gets worse. Any change in the executable called is persistent, remaining in place through reboots and resets. And it executes at the privilege level of the service, which is often at administration level during the boot process.

As Kosayev explains, "It's easy to exploit, and it's critical because it gives you persistence on the computer. It's also an issue in a highly privileged account. If attackers know the problem, they can exploit it widely." Kosayev submitted the vulnerability to Mitre and a CVE (CVE-2020-8842) was issued.

Fortunately, the patch was straightforward. "To fix the problem, MSI needed only to add the quotation marks around the path," Kosayev says.

According to the timeline presented in a blog post on the vulnerability, Triox notified MSI of the vulnerability on February 23 and a patch was issued on April 4. Contacting MSI to tell them about the vulnerability was somewhat challenging, Kosayev says, because the company doesn't have a dedicated vulnerability reporting channel or bug bounty program.

"When I explained the problem, it took about 20 days to patch the problem," Kosayev says, continuing, "I think they need an official bounty program like other companies, but in the end, they did patch the problem."

Related content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "5 Ways to Prove Security's Worth in the Age of COVID-19"

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/30/2020 | 10:39:38 PM
Wrapping
Sometimes its the most minor mistake that causes the tower to topple. This is a perfect example of why code scanning is a must have for any shop that is focused on best practice security.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13768
PUBLISHED: 2020-06-04
In MiniShare before 1.4.2, there is a stack-based buffer overflow via an HTTP PUT request, which allows an attacker to achieve arbitrary code execution, a similar issue to CVE-2018-19861, CVE-2018-19862, and CVE-2019-17601. NOTE: this product is discontinued.
CVE-2020-13849
PUBLISHED: 2020-06-04
The MQTT protocol 3.1.1 requires a server to set a timeout value of 1.5 times the Keep-Alive value specified by a client, which allows remote attackers to cause a denial of service (loss of the ability to establish new connections), as demonstrated by SlowITe.
CVE-2020-13848
PUBLISHED: 2020-06-04
Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c.
CVE-2020-11682
PUBLISHED: 2020-06-04
Castel NextGen DVR v1.0.0 is vulnerable to CSRF in all state-changing request. A __RequestVerificationToken is set by the web interface, and included in requests sent by web interface. However, this token is not verified by the application: the token can be removed from all requests and the request ...
CVE-2020-12847
PUBLISHED: 2020-06-04
Pydio Cells 2.0.4 web application offers an administrative console named “Cells Console� that is available to users with an administrator role. This console provides an administrator user with the possibility of changing several settings, including the applicat...