- CVE-2022-34109
- Affected Product and Version: Feature Navigator version 1.0.1808.0901
- Problem Type: Arbitrary File Copy
- Description: An issue in Micro-Star International MSI Feature Navigator v1.0.1808.0901 allows attackers to write and copy arbitrary files to the directory \PromoPhoto\, regardless of file type or size.
- CVE-2022-34110
- Affected Product and Version: Feature Navigator version 1.0.1808.0901
- Problem Type: Arbitrary File Download
- Description: An issue in Micro-Star International MSI Feature Navigator v1.0.1808.0901 allows attackers to download arbitrary files from external hosts regardless of file type or size.
- CVE-2022-34108
- Affected Product and Version: Feature Navigator version 1.0.1808.0901
- Problem Type: Denial of Service (DoS)
- Description: An issue in the Feature Navigator of Micro-Star International MSI Feature Nagivator v1.0.1808.0901 allows attackers to cause a Denial of Service (DoS) via a specially crafted image or video file.
So here are the last three pending vulnerabilities I found! However please note that CVE-2022-34109 and CVE-2022-34110 were found thanks to team work with my co-worker at nVisium Bruno Hernández (Github and LinkedIn).
I’ve been sitting on the Denial of Service (DoS) [CVE-2022-34108] for years though. I’ve reached out to MSI about these issues but never heard back.
If you’ve ever gone to a store like Best Buy and looked at the laptops sold, you’ll notice that most of them have this preview software running that shows the specifications, maybe a video or two or whatever.
Well following my advice from this POST years ago I started to look at what was installed by default on my new gaming laptop. That’s where I stumbled into the Feature Navigator software.
As I started to click around I didn’t see much to chew on however in the top right there is a settings icon.
Clicking that leads to a Settings menu containing two tabs: System and Media.
You can set Password Protection to close the application (which I’m looking into messing more with), set the application to automatically open, check for software updates (which I believe I never have) and a few other options.
The second tab is Media however. This is where you can set video volume AND most importantly, add Promotion Pictures and Videos.
This where all three CVEs were found.
Lets start with the two basic ones.
If you click the Browse button under Video it opens file explorer window to select a filename with no restrictions. That means any type of Video (or non video file can be selected). We found that if you put a URL it will download any file to the AppData\Local\Microsoft\Windows\NetCache\* directory. This is a great way to transfer files to the host if its compromised and locked down.
Alternatively, under promotion if you hit the + button, a file explorer window is open which is limited to certain filetypes: jpg, png and bmp. Pretty standard stuff. However you can just paste any URL/direct path on the computer to copy a file. Note that the direct path will cause a stack trace and if you try to click the settings button it will crash and not reopen (DoS!) until you delete the file.
Now hit the open button
A stack trace will appear saying “no imaging component suitable to complete this operation was found”
Now if you navigate to where this application lives and is supposed to store its images/videos (C:\Program Files (x86)\MSI\MSI Feature Navigator\PromoPhoto\) you’ll see a new exe there!
Sweet! These are CVE-2022-34109 and CVE-2022-34110
Although the second example does include a form of the DoS I mentioned. However I found an easier way.
The other way is just to try to add a file with the png/jpg/bmp extension and an RTLO name like THIS one from Treehouse Wordlists which will result in the application crashing and refusing to reopen until the file is deleted from the (C:\Program Files (x86)\MSI\MSI Feature Navigator\PromoPhoto\) directory. Resulting again in a Dos! Which was assigned CVE-2022-34108
END TRANSMISSION