Writable File in Lenovo Path Lets Attackers Evade AppLocker Restrictions

A security researcher has uncovered a significant vulnerability affecting Lenovo computers: a writable file within the Windows directory that can be exploited to bypass AppLocker restrictions.

The file in question, C:\Windows\MFGSTAT.zip, is present on many Lenovo machines that ship with the manufacturer’s default Windows image.

This issue, initially thought to affect only a handful of devices, has now been confirmed across a wide range of Lenovo models.

The Technical Issue

The vulnerability centers on the file permissions of MFGSTAT.zip. Using access control checking tools, it was discovered that any authenticated user on the system could write to this file.

A review of the file’s Access Control Lists (ACLs) in Windows Explorer confirmed that standard users have both write and execute permissions.

This is problematic because, under default AppLocker rules, any executable within the C:\Windows directory is allowed to run. As a result, the writable MFGSTAT.zip file becomes a potential vector for attackers to evade AppLocker’s application whitelisting.

Exploitation Method

To exploit this vulnerability, an attacker does not need to overwrite the zip file directly. Instead, they can leverage Windows’ alternate data streams (ADS) feature.

By adding a malicious binary as an alternate data stream to MFGSTAT.zip, an attacker can execute arbitrary code. For example, the following command adds an executable to the ADS:

type c:\temp\autoruns.exe > c:\windows\mfgstat.zip:this

The attacker can then execute the payload using a legitimate Windows utility, such as appvlp.exe from Microsoft Office:

"C:\Program Files (x86)\Microsoft Office\root\Client\appvlp.exe" c:\Windows\mfgstat.zip:this

This technique allows the attacker to run unauthorized code, effectively bypassing AppLocker’s restrictions.

Upon being notified, Lenovo’s Product Security Incident Response Team (PSIRT) acknowledged the issue but opted not to release a patch.

Instead, Lenovo published guidance recommending the removal of the vulnerable file. The company provided several methods for deletion:

• PowerShell:
  Remove-Item -Path “C:\Windows\MFGSTAT.zip” -Force
• Command Prompt:
  del /A:H C:\Windows\MFGSTAT.zip
• Windows File Explorer:
  Navigate to C:\Windows, show hidden items, right-click MFGSTAT.zip, and select “Delete”.

Lenovo noted that organizations deploying their own Windows images are not affected, as the file is specific to the preloaded Lenovo operating system.

This discovery highlights the importance of scrutinizing default file permissions, especially in system directories.

While Lenovo’s guidance mitigates the risk, the incident serves as a reminder that even minor oversights in system configuration can have significant security consequences.

Lenovo has credited the researcher for responsibly disclosing the issue and encourages all users of affected systems to remove the file promptly.

Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!