MSI TrueColor Unquoted Service Path 

Author

Uriel Kosayev
Cybersecurity researcher and red teamer who lives both on the offensive and defensive fronts. The author of the “Antivirus Bypass Techniques” book, expert in malware research, reverse engineering, penetration testing, digital forensics, and incident response

(CVE-2020-8842)

Introduction

MSI TrueColor utility comes as a pre-installed utility program on MSI gaming laptops that is used widely around the world and can also be freely downloaded from the official MSI website.

An attacker can exploit this vulnerability during the post-exploitation phase to achieve privilege escalation and persistence,

by using the technique of implanting an arbitrary unsigned executable which is executed by a signed service that runs with the NT AUTHORITY\SYSTEM privileges on the victim machine.

Gain Insider Knowledge

Subscribe to updates from the TrainSec trainers

The Vulnerability

In the Windows operating system, a service is susceptible to “Unquoted Service Path” vulnerability if the executable path is not wrapped with quotation marks. In this case, the Windows service dubbed as “MSITrueColorService” is executed with the “CreateProcessAsUserA” Windows API function as can be seen below:

image1 3

The “CreateProcessAsUserA” Windows API function receives several parameters such as the “lpApplicationName” parameter that has a value of the module/file name or the full path to the module/file, and in this case, with no quotation marks which leads to this vulnerability.

To exploit such vulnerability, an attacker needs to drop a file that will be executed after a computer or service is restarted, either through an administrative account or by abusing a service path followed by insufficient permissions so that any weak user with a “W” (write) permission, for instance, can write to this path without the need of an administrative account. Below you can see Microsoft’s explanation of the “lpApplicationName” parameter:

image3 2

And here below you can see that when the “MSITrueColorService” is executed, it runs as NT AUTHORITY\SYSTEM:

image2 2

Just to note, such techniques can and are implemented in different kinds of malware. By using malware analysis, we can analyze and dissect malware with such techniques and of course, such techniques are implemented as part of malware development processes by attackers and red teamers alike.

Proof of Concept

The following proof of concept video demonstrates the vulnerability and the exploitation process:

Disclosure Timeline

Feb 10th, 2020 – Vulnerability reported to MITRE

Mar 2nd, 2020 – Initial response from MSI Headquarters. 

Mar 20th, 2020 – Issued CVE-2020-8842

blue depth

About the author

Uriel Kosayev
Cybersecurity researcher and red teamer who lives both on the offensive and defensive fronts. The author of the “Antivirus Bypass Techniques” book, expert in malware research, reverse engineering, penetration testing, digital forensics, and incident response
All corses and publications

Useful Resources

Join our Discord community
Pavel’s GitHub
Pavel’s Books
Uriel’s GitHub
Antivirus Bypass Techniques Book

Learning Paths

Windows Master Developer
Windows Internals Master
Windows Security Researcher
Hardware Hacking Expert

Let's Connect

Contact Us

@2024 TrainSec. All rights reserved. Terms of Use | Privacy Policy

Black Friday & Cyber Monday Sale Started!

For a limited time, enjoy 25% off ALL available courses for the next month. Whether you’re looking to sharpen your skills or explore new areas of cybersecurity, now’s the perfect time to invest in your growth.

Use code BFRIDAY24 at checkout to claim your discount.

*Excluding bundles and monthly plans.  
Go to course library