A safety researcher has uncovered a major vulnerability affecting Lenovo computer systems: a writable file inside the Home windows listing that may be exploited to bypass AppLocker restrictions.<\/p>\n
The file in query, C:WindowsMFGSTAT.zip, is current on many Lenovo machines that ship with the producer\u2019s default Home windows picture.<\/p>\n
This subject, initially thought to have an effect on solely a handful of gadgets, has now been confirmed throughout a variety of Lenovo<\/a> fashions.<\/p>\n The vulnerability facilities on the file permissions of MFGSTAT.zip. Utilizing entry management checking instruments, it was found that any authenticated consumer on the system may write to this file.<\/p>\n A evaluation of the file\u2019s Entry Management Lists (ACLs) in Home windows Explorer confirmed that normal customers have each write and execute permissions.<\/p>\n That is problematic as a result of, underneath default AppLocker guidelines, any executable inside the C:Home windows listing is allowed to run. Because of this, the writable MFGSTAT.zip file turns into a possible vector for attackers to evade AppLocker\u2019s utility whitelisting.<\/p>\n Exploitation Technique<\/strong><\/p>\n To use this vulnerability, an attacker doesn’t have to overwrite the zip file instantly. As a substitute, they will leverage Home windows\u2019 alternate information streams (ADS) characteristic.<\/p>\n By including a malicious binary as an alternate information stream to MFGSTAT.zip, an attacker can execute arbitrary code. For instance, the next command provides an executable to the ADS:<\/p>\n The attacker can then execute the payload utilizing a professional Home windows <\/a>utility, corresponding to appvlp.exe from Microsoft Workplace:<\/p>\n This system permits the attacker to run unauthorized code, successfully bypassing AppLocker\u2019s restrictions.<\/p>\n Upon being notified, Lenovo\u2019s Product Safety Incident Response Group (PSIRT) acknowledged the difficulty however opted to not launch a patch.<\/p>\n As a substitute, Lenovo revealed steering recommending the removing of the susceptible file. The corporate supplied a number of strategies for deletion:<\/p>\n Lenovo famous that organizations deploying their very own Home windows photographs will not be affected, because the file is restricted to the preloaded Lenovo working system.<\/p>\nThe Technical Concern<\/strong><\/h2>\n
sort c:tempautoruns.exe > c:windowsmfgstat.zip:this<\/code><\/pre>\n\"C:Program Information (x86)Microsoft OfficerootClientappvlp.exe\" c:Windowsmfgstat.zip:this<\/code><\/pre>\n![\"\"](\"https:\/\/gbhackers.com\/wp-content\/uploads\/2025\/07\/image-8.png\")
<\/figure>\n\n
Take away-Merchandise -Path \u201cC:WindowsMFGSTAT.zip\u201d -Drive<\/li>\n
del \/A:H C:WindowsMFGSTAT.zip<\/li>\n
Navigate to C:Home windows, present hidden objects, right-click MFGSTAT.zip, and choose \u201cDelete\u201d.<\/li>\n<\/ul>\n