MSI Center flaw let any logged-in user run code as SYSTEM in seconds
A security researcher decompiled MSI Center — the management suite preinstalled on MSI laptops and pre-built desktops — and found a privilege-escalation flaw in its ‘Notebook Foundation’ service. On boot the service opens a named pipe (MSI_SERVICE_2) with an ACL that grants any authenticated user access, then exposes commands to read/write/delete registry keys, alter WMI settings including Windows Defender exclusions, and — most damaging — run or kill arbitrary executables as LocalSystem. Any non-admin user, or malware running in their session, could use it to disable Defender or take full control of the machine.
MSI leaned on security-through-obscurity rather than real access controls: a custom protocol requiring 3DES-encrypted messages, using the caller’s registered client name as the key. The service simply brute-forces decryption against all registered names until one succeeds, so the researcher’s proof of concept just registered a random name, encrypted a REXE command to launch cmd.exe, and got SYSTEM. The exploit can even be triggered remotely over SMB on a LAN for RCE, though it still requires valid credentials since the pipe only answers authenticated users.
The disclosure process was rocky at the edges but ultimately worked. MSI’s PSIRT mailbox was full and bouncing reports — meaning other researchers’ submissions were likely dropped too — and the reporter had to route through Gamers Nexus to reach a human, only to find the original email had gotten through anyway. Once connected, MSI patched within two days and shipped the fix in MSI Center 2.0.70.0. Notably, MSI couldn’t issue its own CVE (a request is still pending at VulDB), and the researcher notes that across all the vendors he’s reported to — Google, ASUS, AMD, MSI and others — he has been paid $0 in bounties.
Read the full article
Continue reading at Hacker News →This is an AI-generated summary. Read the original for the full story.