Writable File in Lenovo Path Lets Attackers Evade AppLocker Restrictions

A security researcher has uncovered a significant vulnerability affecting Lenovo computers: a writable file within the Windows directory that can be exploited to bypass AppLocker restrictions.

The file in question, C:WindowsMFGSTAT.zip, is present on many Lenovo machines that ship with the manufacturer’s default Windows image.

This issue, initially thought to affect only a handful of devices, has now been confirmed across a wide range of Lenovo models.

The Technical Issue

The vulnerability centers on the file permissions of MFGSTAT.zip. Using access control checking tools, it was discovered that any authenticated user on the system could write to this file.

A review of the file’s Access Control Lists (ACLs) in Windows Explorer confirmed that standard users have both write and execute permissions.

This is problematic because, under default AppLocker rules, any executable within the C:Windows directory is allowed to run. As a result, the writable MFGSTAT.zip file becomes a potential vector for attackers to evade AppLocker’s application whitelisting.

Exploitation Method

To exploit this vulnerability, an attacker does not need to overwrite the zip file directly. Instead, they can leverage Windows’ alternate data streams (ADS) feature.

By adding a malicious binary as an alternate data stream to MFGSTAT.zip, an attacker can execute arbitrary code. For example, the following command adds an executable to the ADS:

type c:tempautoruns.exe > c:windowsmfgstat.zip:this

The attacker can then execute the payload using a legitimate Windows utility, such as appvlp.exe from Microsoft Office:

"C:Program Files (x86)Microsoft OfficerootClientappvlp.exe" c:Windowsmfgstat.zip:this

This technique allows the attacker to run unauthorized code, effectively bypassing AppLocker’s restrictions.

Upon being notified, Lenovo’s Product Security Incident Response Team (PSIRT) acknowledged the issue but opted not to release a patch.

Instead, Lenovo published guidance recommending the removal of the vulnerable file. The company provided several methods for deletion:

• PowerShell:
  Remove-Item -Path “C:WindowsMFGSTAT.zip” -Force
• Command Prompt:
  del /A:H C:WindowsMFGSTAT.zip
• Windows File Explorer:
  Navigate to C:Windows, show hidden items, right-click MFGSTAT.zip, and select “Delete”.

Lenovo noted that organizations deploying their own Windows images are not affected, as the file is specific to the preloaded Lenovo operating system.

This discovery highlights the importance of scrutinizing default file permissions, especially in system directories.

While Lenovo’s guidance mitigates the risk, the incident serves as a reminder that even minor oversights in system configuration can have significant security consequences.

Lenovo has credited the researcher for responsibly disclosing the issue and encourages all users of affected systems to remove the file promptly.

Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free