Writable File in Lenovo’s Windows Directory Enables a Stealthy AppLocker Bypass

Writable File in Lenovo’s Windows Directory Enables a Stealthy AppLocker Bypass

A significant security vulnerability has been discovered in Lenovo’s preloaded Windows operating systems, where a writable file in the Windows directory enables attackers to bypass Microsoft’s AppLocker security framework. 

The issue affects all variants of Lenovo machines running default Windows installations and poses serious implications for enterprise security environments.

The vulnerability centers around the MFGSTAT.zip file located in the C:Windows directory, which possesses incorrect file permissions allowing any authenticated user to write to and execute content from this location. 

Google News

Key Takeaways
1. Writable MFGSTAT.zip file in Lenovo's Windows directory bypasses AppLocker security due to incorrect permissions.
2. Uses Alternate Data Streams to hide executables in the zip file, then runs them via legitimate Windows processes.
3. Affects all Lenovo machines with preloaded Windows, discovered in 2019 but still present in 2025.
4. Delete the file using PowerShell command or enterprise management tools - no patch available.

This configuration creates a critical security gap in environments where AppLocker default rules are deployed, as these rules typically allow execution from any location within the Windows folder structure.

Exploitation Technique Leverages Alternate Data Streams (ADS)

The exploitation technique leverages Alternate Data Streams (ADS), a lesser-known NTFS feature that allows attackers to hide executable content within seemingly benign files. 

Oddvar Moe from TrustedSec demonstrated the attack by embedding the autoruns.exe utility from Microsoft Sysinternals into the vulnerable zip file using the following command sequence:

Writable File in Lenovo’s Windows Directory Enables a Stealthy AppLocker Bypass

Following the data stream injection, the malicious payload can be executed using the legitimate Microsoft Office application loader:

Writable File in Lenovo’s Windows Directory Enables a Stealthy AppLocker Bypass

This Living Off The Land Binary (LOLBin) technique exploits trusted Windows processes to execute unauthorized code while evading traditional security monitoring systems. 

The attack vector is particularly concerning because it utilizes legitimate system components, making detection significantly more challenging for security teams.

The vulnerability was initially discovered in 2019 during routine security assessments but remained unaddressed until Moe’s recent re-investigation in 2025. 

Upon confirming the persistence of the issue across multiple Lenovo device generations, the researcher contacted Lenovo’s Product Security Incident Response Team (PSIRT).

Lenovo’s response indicates they will not release a software patch; instead, they will provide remediation guidance. 

Mitigation Strategies 

Organizations can implement immediate remediation through several methods. The most straightforward approach involves removing the vulnerable file using PowerShell:

Writable File in Lenovo’s Windows Directory Enables a Stealthy AppLocker Bypass

Alternatively, administrators can utilize Command Prompt with the hidden file attribute flag:

Writable File in Lenovo’s Windows Directory Enables a Stealthy AppLocker Bypass

Enterprise environments should leverage Group Policy Preferences, System Center Configuration Manager (SCCM), or similar management tools to ensure systematic removal across all affected systems. 

This incident highlights the crucial importance of comprehensive filesystem auditing when implementing AppLocker deployments, as even minor oversights can create significant security vulnerabilities that bypass fundamental access controls.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now 


Source link