Nahimic APO Software Component Driver (Deployed with MSI Computers) - DLL Search-Order Hijacking and Potential Abuses (CVE-2019-19115)
SafeBreach Labs discovered a new vulnerability in the Nahimic APO Software Component Driver for Windows which is pre-installed on MSI computers.
In this post, we describe the vulnerability we found in the Nahimic APO Software Component Driver and demonstrate how this vulnerability could be used in order to achieve persistence and in some cases privilege escalation and defense evasion by loading an arbitrary unsigned DLL into a service that runs as NT AUTHORITY\SYSTEM.
We then demonstrate how this vulnerability can be exploited to achieve privilege escalation, gaining access with NT AUTHORITY\SYSTEM level privileges.
Nahimic APO is the software component which controls the sound card of the computer.
The software is pre-installed on MSI computers.
In our initial exploration of the software, we targeted the NahimicService.exe process.
We chose this service for the following reasons:
In our exploration, we found that this service was started as a signed process and executed as NT AUTHORITY\SYSTEM.
Once executed, we noticed an interesting behavior:
As you can see, the services were trying to load a missing DLL (NahimicPnPAPO4ConfiguratorDaemonModule.dll) file from different directories within the PATH environment variable.
On our computer, Python 2.7 is installed. The c:\python27 has an ACL which allows any authenticated user to write files onto the ACL. This makes privilege escalation simple, allowing a regular user to write the missing DLL file and achieve code execution as NT AUTHORITY\SYSTEM.
It is important to note that an administrative user or process must (1) set the directory ACLs to allow access to non-admin user accounts and (2) modify the system’s PATH variable to include that directory. This can be done by different applications.
In order to test this privilege escalation vulnerability, we compiled an unsigned DLL which writes the following to the filename of a txt file once the DLL is loaded:
We were able to load an arbitrary DLL as a regular user and execute our code within a process which is signed by Nahimic as NT AUTHORITY\SYSTEM.
Once the NahimicService.exe file executes, it tries to load the NahimicPnPAPO4ConfiguratorDaemonModule.dll library using LoadLibraryW:
There are two root causes for this vulnerability:
Below we show three possible ways that an attacker can leverage the CVE-2019-19115 vulnerability we discovered and documented above.
The vulnerability gives attackers the ability to load and execute malicious payloads using a signed service. This ability might be abused by an attacker, for example to achieve Application Whitelisting Bypass for purposes such as execution and evasion.
The vulnerability gives attackers the ability to load and execute malicious payloads in a persistent way, each time the service is loaded. That means that once the attacker drops a malicious DLL in a vulnerable path, the service will load the malicious code each time it is restarted.
After attackers gain access to a computer, they may have limited privileges which can limit access to certain files and data. The service provides them with the ability to operate as NT AUTHORITY\SYSTEM which is the most powerful user in Windows, so they can access almost every file and process which belongs to the user on the computer.
The following versions of Nahimic APO Software Component Driver are affected:
Oct 22nd, 2019 - SafeBreach reported the vulnerability to USUserSupport@msi.com.
Nov 5th, 2019 - UK MSI asked SafeBreach to open a ticket on MSI’s support website.
Nov 5th, 2019 - SafeBreach opened a support ticket on MSI’s website.
Nov 7th, 2019 - MSI communicated with A-Volute and asked them to confirm the vulnerability.
Nov 13th, 2019 - Nahimic contacted SafeBreach and said that they are currently working on the issue.
Nov 20th, 2019 - Nahimic provided SafeBreach with a status update.
Dec 5th, 2019 - Nahimic issued CVE-2019-19115 and also provided a list of affected software and versions.
Dec 16th, 2019 - Nahimic sent a new driver to Microsoft (to be rolled out using Windows Update). This phase can take 30 days to complete (until it will be approved and deployed by Microsoft.) The estimated date of public disclosure is January 20th, 2020.
Jan 3rd, 2020 - Status update from Nahimic