Hasty Briefsbeta

Bilingual

MSI Center – How to gain SYSTEM privileges in seconds

4 hours ago
  • #Privilege Escalation
  • #MSI Center Vulnerability
  • #Cybersecurity Research
  • The researcher targeted MSI Center due to its widespread preinstallation on MSI laptops and desktops, aiming to find vulnerabilities with broad impact.
  • Using the offline installer, they identified that MSI Center is packaged with Inno Setup, extracted files, and decompiled executables, mostly C# and some C++.
  • A critical vulnerability was found in MSI's 'Notebook Foundation' service, which exposes a named pipe (MSI_SERVICE_2) accessible to any authenticated user.
  • The pipe allows commands like registry manipulation, WMI operations, and running executables as LocalSystem, posing severe security risks like privilege escalation.
  • Exploitation involves registering a client, encrypting commands with 3DES, and the service brute-forcing decryption, enabling code execution as LocalSystem.
  • Reporting issues included a full mailbox at MSI's PSIRT, but contact was eventually made; MSI patched the vulnerability quickly but did not issue a CVE.
  • The researcher received no bug bounties and encourages donations via Ko-fi, with a timeline from discovery to patch release and CVE request.