January 20th, 2020

Peleg Hadar

Security Researcher, SafeBreach Labs

Introduction

SafeBreach Labs discovered a new vulnerability in the Nahimic APO Software Component Driver for Windows which is pre-installed on MSI computers.

In this post, we describe the vulnerability we found in the Nahimic APO Software Component Driver and demonstrate how this vulnerability could be used in order to achieve persistence and in some cases privilege escalation and defense evasion by loading an arbitrary unsigned DLL into a service that runs as NT AUTHORITY\SYSTEM.

We then demonstrate how this vulnerability can be exploited to achieve privilege escalation, gaining access with NT AUTHORITY\SYSTEM level privileges.

Nahimic APO Software Component Driver

Nahimic APO is the software component which controls the sound card of the computer.

The software is pre-installed on MSI computers.

Discovery

In our initial exploration of the software, we targeted the NahimicService.exe process.

We chose this service for the following reasons:

• It is pre-installed on MSI computers, which means that a vulnerability in this kind of service may have a lot of impact on a lot of users.

• It runs as NT AUTHORITY\SYSTEM - the most privileged user account. This kind of service might be exposed to a user-to-SYSTEM privilege escalation, which is very powerful and useful to an attacker.
• The executable of the service is signed by “Nahimic” and if the attacker finds a way to execute code within this process, it can be used as an application whitelisting bypass which can lead to security product evasion.
• This service automatically starts once the computer boots, which means that it’s a potential target for an attacker to be used as a persistence mechanism.

In our exploration, we found that this service was started as a signed process and executed as NT AUTHORITY\SYSTEM.

Once executed, we noticed an interesting behavior:

As you can see, the services were trying to load a missing DLL (NahimicPnPAPO4ConfiguratorDaemonModule.dll) file from different directories within the PATH environment variable.

PoC Demonstration

On our computer, Python 2.7 is installed. The c:\python27 has an ACL which allows any authenticated user to write files onto the ACL. This makes privilege escalation simple, allowing a regular user to write the missing DLL file and achieve code execution as NT AUTHORITY\SYSTEM.

It is important to note that an administrative user or process must (1) set the directory ACLs to allow access to non-admin user accounts and (2) modify the system’s PATH variable to include that directory. This can be done by different applications.

In order to test this privilege escalation vulnerability, we compiled an unsigned DLL which writes the following to the filename of a txt file once the DLL is loaded:

• The name of the process which loaded it
• The username which executed it
• The name of the DLL file

We were able to load an arbitrary DLL as a regular user and execute our code within a process which is signed by Nahimic as NT AUTHORITY\SYSTEM.

Root Cause Analysis

Once the NahimicService.exe file executes, it tries to load the NahimicPnPAPO4ConfiguratorDaemonModule.dll library using LoadLibraryW:

There are two root causes for this vulnerability:

• The lack of safe DLL loading due to having an uncontrolled search path - In this case, it is necessary to use the SetDefaultDllDirectories / LoadLibraryExW functions in order to control the paths from which a DLL can be loaded within the scope of the executable.
• No digital signature validation is made against the binary. The program does not validate whether the DLL that it is loading is signed (for example, using the WinVerifyTrust function). Therefore, it can load an arbitrary unsigned DLL.

Potential Malicious Uses and Impact

Below we show three possible ways that an attacker can leverage the CVE-2019-19115 vulnerability we discovered and documented above.

Signed Execution, Whitelisting Bypass, and Defense Evasion

The vulnerability gives attackers the ability to load and execute malicious payloads using a signed service. This ability might be abused by an attacker, for example to achieve Application Whitelisting Bypass for purposes such as execution and evasion.

Persistence Mechanism

The vulnerability gives attackers the ability to load and execute malicious payloads in a persistent way, each time the service is loaded. That means that once the attacker drops a malicious DLL in a vulnerable path, the service will load the malicious code each time it is restarted.

Privilege Escalation

After attackers gain access to a computer, they may have limited privileges which can limit access to certain files and data. The service provides them with the ability to operate as NT AUTHORITY\SYSTEM which is the most powerful user in Windows, so they can access almost every file and process which belongs to the user on the computer.

Affected Products

The following versions of Nahimic APO Software Component Driver are affected:

• 1.4.2
• 1.5.0
• 1.5.1
• 1.6.1
• 1.6.2

Timeline

Oct 22nd, 2019 - SafeBreach reported the vulnerability to USUserSupport@msi.com.

Nov 5th, 2019 - Reported the vulnerability to MSI’s UK, US and Taiwan support teams (usrma@msi.com, uksupport@msi.com, twccservice@msi.com).

Nov 5th, 2019 - UK MSI asked SafeBreach to open a ticket on MSI’s support website.

Nov 5th, 2019 - SafeBreach opened a support ticket on MSI’s website.

Nov 7th, 2019 - MSI communicated with A-Volute and asked them to confirm the vulnerability.

Nov 13th, 2019 - Nahimic contacted SafeBreach and said that they are currently working on the issue.

Nov 20th, 2019 - Nahimic provided SafeBreach with a status update.

Dec 5th, 2019 - Nahimic issued CVE-2019-19115 and also provided a list of affected software and versions.

Dec 16th, 2019 - Nahimic sent a new driver to Microsoft (to be rolled out using Windows Update). This phase can take 30 days to complete (until it will be approved and deployed by Microsoft.) The estimated date of public disclosure is January 20th, 2020.

Jan 3rd, 2020 - Status update from Nahimic

References