MSI Center – How to gain SYSTEM privileges in seconds
4 hours ago
- #Privilege Escalation
- #MSI Center Vulnerability
- #Cybersecurity Research
- The researcher targeted MSI Center due to its widespread preinstallation on MSI laptops and desktops, aiming to find vulnerabilities with broad impact.
- Using the offline installer, they identified that MSI Center is packaged with Inno Setup, extracted files, and decompiled executables, mostly C# and some C++.
- A critical vulnerability was found in MSI's 'Notebook Foundation' service, which exposes a named pipe (MSI_SERVICE_2) accessible to any authenticated user.
- The pipe allows commands like registry manipulation, WMI operations, and running executables as LocalSystem, posing severe security risks like privilege escalation.
- Exploitation involves registering a client, encrypting commands with 3DES, and the service brute-forcing decryption, enabling code execution as LocalSystem.
- Reporting issues included a full mailbox at MSI's PSIRT, but contact was eventually made; MSI patched the vulnerability quickly but did not issue a CVE.
- The researcher received no bug bounties and encourages donations via Ko-fi, with a timeline from discovery to patch release and CVE request.