MSI Center – How to gain SYSTEM privileges in seconds
A security researcher exposed a severe privilege escalation flaw in MSI Center, a widely preinstalled OEM utility, allowing any authenticated user to gain full SYSTEM privileges. The detailed exposé walks through the reverse engineering process, highlighting shoddy security practices like outdated encryption and the frustration of reporting critical vulnerabilities to a vendor with a full email inbox. This deep dive into a real-world exploit showcases both technical prowess and the precarious state of pre-installed software security.
The Lowdown
This report details a critical privilege escalation vulnerability discovered in MSI Center, a common software suite preinstalled on MSI laptops and desktops. The flaw, found by an independent security researcher, allows any authenticated user to achieve SYSTEM-level access, posing a significant security risk by enabling unauthorized control over the operating system.
- The researcher, building on previous findings in AMD and ASUS OEM software, targeted MSI Center due to its pervasive installation base, suggesting widespread impact for any discovered vulnerabilities.
- The investigative process involved downloading and dissecting the MSI Center installer, using tools like Detect-It-Easy and innoextract to uncover its Inno Setup packaging and embedded
.appxbundle. - Extensive decompilation of 170 executables and DLLs (primarily C# with
ilspycmdand C++ with IDA) led to a focused search for common weaknesses, culminating in the discovery of an insecure named pipe. - The "Notebook Foundation" service created a named pipe,
MSI_SERVICE_2, granting any authenticated user access to highly privileged commands including Registry manipulation, WMI control, and the ability to run or kill executables asLocalSystem. - MSI's attempt at "security by obscurity" through outdated 3DES encryption, using the client name as a key, proved ineffective and was easily bypassed to execute arbitrary commands.
- A Proof of Concept demonstrated how to launch
cmd.exewith SYSTEM privileges, with the researcher also noting potential for Remote Code Execution (RCE) over SMB given valid credentials. - The responsible disclosure process encountered a hurdle when MSI's vulnerability reporting email mailbox was full, but the issue was eventually communicated, leading to a patch released within two days.
- The researcher also pointed out a recurring theme: zero bug bounty payouts from multiple major vendors despite successful vulnerability reports, highlighting a lack of financial incentive for independent security research.
This expose not only uncovers a severe vulnerability in widely deployed OEM software but also provides a stark look into the realities of security research and vendor response. It emphasizes the critical need for better security practices in pre-installed applications and more effective channels for responsible disclosure and researcher recognition.