CVE-2020-13149 in Dragon Center
Summary
by MITRE
Weak permissions on the "%PROGRAMDATA%\MSI\Dragon Center" folder in Dragon Center 2.6.2003.2401, shipped with Micro-Star MSI Gaming laptops, allows local authenticated users to overwrite system files and gain escalated privileges. One attack method is to change the Recommended App binary within App.json. Another attack method is to use this part of %PROGRAMDATA% for mounting an RPC Control directory.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/19/2020
The vulnerability identified as CVE-2020-13149 represents a critical privilege escalation flaw within Dragon Center 2.6.2003.2401, a software component pre-installed on Micro-Star MSI gaming laptops. This issue stems from inadequate file system permissions on the "%PROGRAMDATA%\MSI\Dragon Center" directory structure, creating a persistent security weakness that affects local authenticated users. The vulnerability specifically targets the Windows ProgramData directory, which is designed to store application-specific data that should be accessible to all users while maintaining appropriate security controls. The flaw allows attackers with standard user privileges to manipulate system-critical files and potentially achieve administrative access through direct file modification or service manipulation techniques.
The technical exploitation of this vulnerability occurs through two primary attack vectors that leverage the weak directory permissions. The first method involves modifying the App.json configuration file to alter the Recommended App binary path, effectively redirecting system execution to a malicious payload. This technique directly violates the principle of least privilege and demonstrates how improperly configured file permissions can enable arbitrary code execution. The second attack vector utilizes the %PROGRAMDATA% directory structure to mount an RPC Control directory, which allows for more sophisticated privilege escalation by manipulating the underlying Windows Remote Procedure Call infrastructure. Both methods exploit the fundamental security principle that system directories should not be writable by unprivileged users, creating a persistent backdoor for privilege escalation attacks.
The operational impact of CVE-2020-13149 extends beyond simple privilege escalation, as it provides attackers with a persistent foothold on affected systems. This vulnerability affects all Micro-Star MSI gaming laptops that ship with Dragon Center 2.6.2003.2401, creating a widespread attack surface across multiple hardware platforms. The attack requires only local authenticated access, making it particularly dangerous in environments where users may have legitimate administrative privileges or where credential theft has occurred. Once exploited, attackers can maintain persistent access through the modified system files, potentially leading to complete system compromise and data exfiltration. The vulnerability also demonstrates how pre-installed software components can introduce security weaknesses that persist even after system updates, as the issue is embedded within the original software distribution rather than being a runtime configuration error.
Security mitigations for this vulnerability should focus on immediate permission remediation and system hardening measures. Organizations should immediately review and correct the directory permissions on "%PROGRAMDATA%\MSI\Dragon Center" to ensure only authorized system processes can modify the contents. The recommended approach involves implementing strict access controls using Windows ACLs to prevent write access for standard users while maintaining necessary read permissions for legitimate system operations. Additionally, system administrators should consider disabling or removing Dragon Center if it is not required for system functionality, as this eliminates the attack surface entirely. From a compliance perspective, this vulnerability aligns with CWE-276, which addresses improper permissions for critical resources, and may be categorized under ATT&CK technique T1068 for privilege escalation. Regular security audits should include verification of ProgramData directory permissions to prevent similar issues from arising in other software components, as this vulnerability demonstrates how default installations can create persistent security risks that require ongoing monitoring and maintenance.