Was NOT expecting a happy ending.
I don't know if the part of MSI Center with the pipe vulnerability is automatically installed on desktops but this is the terribly written software that you need to turn off all the obnoxious lights on your MB and DRAM.
It left me thinking maybe the patch introduced a different vulnerability that’s still under an embargo :)
As my work develop is focused on macOS and Windows apps, I need a Windows laptop and got a light Prestige 13 inch with 32GB and 125H.
It did the trick, but I had years of not understanding how the throttling works. Sometimes if I was using AC and battery was lower than 90% I had CPU throttled at 800Mhz or even 400Mhz never going over 1Ghz. it drove me nuts and my fiddling with MSI Center was always unexpected. I had some strange steps to like connect/disconnect charger, change MSI Center performance settings. none was reliable. (even with Windows Power Settings all the way to max)
Eventually I've found on a reddit thread this (strangely hidden) uninstaller: https://www.msi.com/faq/9934 https://download.msi.com/uti_exe/nb/CleanCenterMaster.zip
Leaving the throttling and fan to Microsoft + Intel seems to do much better work. I no longer look at the task manager for CPU frequency. it just works.
So I have no clue what are the advantages of MSI Center in the first place (maybe bios updating?)
Why bother reporting to them ?
You could just as well sell it to third parties if it doesn't interest them.
It was formally deprecated in 2018 and has been surpassed in just about every single way by AES long before that.
At this point I feel like it's use is such a huge red flag
If your only goal is to stop users from doing what they want on the hardware they own, you are everything that is wrong with the "security" industry today.
Eh
Shrug.emoji
Not sure this is that happy of an ending. I wish there was more information why - is the payout process too cumbersome and why is this person continuing to provide uncompensated value to these companies?
I'm really happy with my absolutely no RGB, AIO controlled with a pump header boring PC.
You should reverse engineer it and write a free software replacement!
I did this for my Clevo laptop's keyboard LEDs:
https://github.com/matheusmoreira/ite-829x
Still one of my most satisfying projects and I use it to this day. These manufacturer apps are so bad. Clevo control center would take over a minute to display a window on screen, it was so aggravating. My replacement program works instantly and is scriptable.
The LED control was implemented over USB. Reversed it by capturing packets with wireshark and replaying them using libusb. MSI probably used ACPI/WMI for this which is much more annoying to work with. I gave up on reversing my laptop's ACPI/WMI features years ago but now that I've got AI I'm trying again, it's been a huge help.
> including ones without local admin
I don’t know anything about windows, but it looks like a local privilege escalation.
msix is just a different beast entirely too.
I live on .NET/C++ universe in regards to Windows development, so it might be it isn't as nice for not blessed stacks.
Oh, and of course it's so bad, that if you once uninstalled it, you need a special cleanup software which may or may not work, but most likely you're done and can't install instgain.
All to set the charging level which, say, Framework exposes in BIOS.
I know there are some Linux-based ways that are supposed to safely write the threshold to EC, but none worked in my case (reasonably new model, supported by every piece of Linux-based software I checked), and one of them flipped the VMD Controller support on, which makes my nvmes invisible to the installed OS.
Awful, terrible piece of software.
But DES is so broken that it's more of a giant flashing beacon saying "look here there are terrible decisions being made!"
This does not inspire confidence. I'm assuming the pipe exists so that some GUI process running as the current user can perform privileged actions since the other end of the pipe runs as SYSTEM. At this point, just inject a thread into that GUI process and send the command - the service will think it is coming from MSI software, because it is.
The "only invoke MSI signed executables" mitigation is a good one, but if these two things are all they have done, while leaving the "arbitrary registry write" primitive in, then this is still 100% vulnerable to local privilege escalation.
Very good article, thank you!
companies should be better and if not, criminally liable for their bad code.
The author got around a similar mitigation in their exploit for ASUS DriverHub (linked in the original article).
Can you or someone else expand on that?
does this also apply to individual developers?
should Linux Torvalds or the ffmpeg developers go to jail if they merge a RCE zero-day into the Linux kernel or into ffmpeg?
if you cannot differentiate the 2, :insert rude thing here:
glad you are consistent in your beliefs
After finding severe vulnerabilities in both AMD’s and ASUS’s OEM software, I wanted to expand my horizons by finding issues in more gaming products.
I ended up settling on MSI Center, because it seems to come preinstalled on all of their laptops and pre-built desktops, meaning any vulnerability I found would likely have widespread implications.
The first step in this process is to always download the offline installer.
A lot of these companies either block the installer from running on unsupported hardware or only allow for the installation of a small selection of their software.
Once you have a copy of the offline installer, you need to run it through Detect-It-Easy and pray. If you get lucky, it might just tell you what software is being used to package MSI Center.
In our case, we got lucky, and it told us that MSI Center is packaged using something called Inno Setup.

There is a tool made specifically for this situation called innoextract.

After extracting the installer and the .appxbundle contained within (it’s just a .zip file), it was time to decompile the executables.
There were a total of 170 executables (including DLLs), with the majority of them being written using C#. For them, I made a bash script to decompile all of them using ilspycmd.
find . ( -name "*.exe" -o -name "*.dll" ) -exec file {} + | grep Mono | wc -l
find . ( -name "*.exe" -o -name "*.dll" ) -exec file {} + | grep -v Mono | wc -l
For the remainder that were written in C++, I chose the top ~10 most interesting files and threw them into IDA and then exported their complete decompilation as a .c file.
After doing all that, I had come to the conclusion that there were simply way too many files to be able to look at each one individually. Instead, I had to just search for common weaknesses and hope I would find something.
One of the things I grepped for was CreateNamedPipe. (A named pipe is a way for different processes on your computer to communicate with each other.)
MSI’s ‘Notebook Foundation’ service spawns a named pipe on boot that any authenticated user can interact with.
CreateNativePipeSecurity("D:(A;OICI;GRGW;;;AU)(A;OICI;GA;;;BA)");
CreateNamedPipe("\\\\.\\pipe\\MSI_SERVICE_2", PIPE_ACCESS_DUPLEX);
It provides the following commands that can be triggered:
LocalSystem (highest privileges).LocalSystem.LocalSystem).As you might have guessed, these are incredibly dangerous tools to be exposing to any authorised user (including ones without local admin).
They could be abused by malware to disable Windows Defender or gain system-level privileges.
Historically, MSI has primarily relied on security by obscurity to protect against exploitation. They created a custom protocol for communicating with the pipe and required all messages to be encrypted using 3DES (an outdated and insecure cipher by today’s standards).
MSI_SERVICE_2 named pipe.PC:REXE command using 3DES and use the client name as the key.LocalSystem.For the Proof of Concept I created, I only made it launch cmd.exe to show it can be used to escalate privileges. However, malware would likely run an arbitrary PowerShell command or script.
Your browser does not support the video lmao
I recently discovered that this exploit can also be triggered remotely via SMB on a LAN, resulting in Remote Code Execution (RCE). However, because the named pipe only responds to authenticated users, successful exploitation requires valid login credentials for the target machine.
When I sent a report of this vulnerability to MSI via their PSIRT email, I received a concerning response:
Remote Server returned '554 5.2.2 mailbox full; STOREDRV.Deliver.Exception: QuotaExceededException.MapiExceptionShutoffQuotaExceeded;'
What this basically meant was that the mailbox for receiving vulnerability reports was full and was refusing to accept any additional emails.
Not only had it refused to accept my vulnerability report, but it had likely been this way for an unknown period of time and had dropped other people’s vulnerability reports too, not just mine.
Because of this concerning development, I started reaching out to my contacts to find an MSI employee who could help remedy the situation.
In the end, Steve Burke, who runs Gamers Nexus, helped me get in touch with an employee from MSI. However, it turned out that all that effort was in vain as my report had actually managed to reach MSI after all, despite their mail servers giving the exact opposite impression.
After this minor hiccup, the experience with MSI was actually quite pleasant. They prepared a patch for the vulnerability within two days of me reporting it and told me which MSI Center release it was to be bundled with, and when they planned to release the new version.
Unfortunately, MSI did not have the ability to issue a CVE for this, so they suggested I request one via MITRE or a third-party CNA.
As of writing, it has been about a month, and my submission is still in review by VulDB. They state that due to a large amount of new submissions, the wait time is ~4 weeks, so hopefully the review will conclude shortly.
So far, for the vulnerabilities I have reported to Google, ASUS, AMD, TP-Link, Netgear, MSI (and more), they have paid out a total of $0 in bug bounties.
If you found this article interesting or useful, you can buy me a coffee via my Ko-fi: https://ko-fi.com/mrbruhh