Executive Summary

CVE-2020-37129 is a vulnerability in Memu Play version 7.1.3 caused by insecure folder permissions. It allows low-privileged users to modify the MemuService.exe executable because the folder containing this service executable has unrestricted file modification permissions.

An attacker with local access can replace the legitimate MemuService.exe with a malicious file. Since this service runs with SYSTEM-level privileges and is configured to start automatically at system boot, the malicious executable will run with those high privileges after a system restart, enabling privilege escalation.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker with low privileges and local access to escalate their privileges to SYSTEM level on the affected machine.

• The attacker can replace the MemuService.exe with a malicious executable that runs with the highest system privileges.
• Upon system restart, the malicious executable runs automatically, giving the attacker full control over the system.
• This can lead to complete system compromise, including unauthorized access to sensitive data, system manipulation, and disruption of services.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking the folder permissions of the directory containing MemuService.exe, typically located at "C:\\Program Files (x86)\\Microvirt\\MEmu\\". Specifically, you should verify if low-privileged users or the "Authenticated Users" group have modify or full control permissions on this folder or the MemuService.exe file.'}, {'type': 'paragraph', 'content': 'On a Windows system, you can use the following commands to inspect permissions:'}, {'type': 'list_item', 'content': 'Use the command `icacls "C:\\Program Files (x86)\\Microvirt\\MEmu\\MemuService.exe"` to view the access control list (ACL) for the executable.'}, {'type': 'list_item', 'content': 'Use `icacls "C:\\Program Files (x86)\\Microvirt\\MEmu\\"` to check the folder permissions.'}, {'type': 'paragraph', 'content': 'If the output shows that the "Users" or "Authenticated Users" groups have modify or full control permissions, the system is vulnerable.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'To mitigate this vulnerability immediately, you should restrict the folder and file permissions of the MemuService.exe executable and its containing directory to prevent modification by low-privileged users.'}, {'type': 'list_item', 'content': 'Remove modify or full control permissions for the "Users" or "Authenticated Users" groups on the folder "C:\\Program Files (x86)\\Microvirt\\MEmu\\" and the MemuService.exe file.'}, {'type': 'list_item', 'content': 'Ensure that only Administrators and the SYSTEM account have full control permissions on these files and folders.'}, {'type': 'paragraph', 'content': 'Additionally, consider monitoring the integrity of MemuService.exe and related files to detect unauthorized changes.'}, {'type': 'paragraph', 'content': 'If possible, apply any official patches or updates from the vendor that address this insecure permission issue.'}] [1, 2]

Useful 0 Not Useful 0