CVE-2024-37726: MSI Center Flaw Exposes Windows Systems to Privilege Escalation Attacks
Recently, a critical local privilege escalation vulnerability has been identified in MSI Center, a popular system management application for Windows OS. Tracked as CVE-2024-37726, this vulnerability affects all versions of MSI Center up to and including 2.0.36.0, posing a substantial risk to system integrity and security.
How the Attack Works
The vulnerability allows a low-privileged user to arbitrarily overwrite or delete high-privileged and critical files on a system. This serious flaw arises from the MSI Center application running with NT AUTHORITY\SYSTEM privileges, yet writing files to directories controlled by low-privileged users. This misconfiguration enables malicious actors to exploit the file system using symbolic links (symlinks) to trick the application into writing or overwriting files in arbitrary locations.
The exploitation process begins when a low-privileged user creates a directory and sets an opportunistic lock (OpLock) on a file within that directory. By using the “Export System Info” function in MSI Center, the user can trigger a file write operation on the OpLocked file. During this period, the user can move the original file and create a junction to a target file. Consequently, MSI Center, operating with SYSTEM privileges, is duped into overwriting or deleting the target file, effectively escalating the user’s privileges.
A successful exploitation of CVE-2024-37726 enables a low-privileged user to gain control over critical system files, potentially leading to a complete system compromise. This vulnerability could allow attackers to escalate their privileges, execute malicious code, and perform a variety of disruptive actions, severely undermining system security.
Mitigation and Patch
In response to this alarming discovery, MSI has released a new version of MSI Center (2.0.38.0), which addresses and fixes this vulnerability. Users are strongly advised to update their MSI Center application to the latest version to mitigate the risk posed by this security flaw.
Proof-of-Concept
Adding to the urgency, security researcher carsonchan12345 has published a proof-of-concept (PoC) exploit code for CVE-2024-37726. This publicly available exploit demonstrates the feasibility of the attack, highlighting the critical need for users to apply the patch without delay.
