Статья Applocker bypass on Lenovo machines – The curious case of MFGSTAT.zip

[stihl]

This blogpost is about a minor discovery I made regarding a writeable file inside the Windows folder that is present on Lenovo machines. Initially when I found it I thought it was only a handful of Lenovo machines, but it seems as if this affects all variants. Since this can be abused as an AppLocker bypass I thought I would write about it here instead of the Для просмотра ссылки Войди или Зарегистрируйся, since my personal blog is mostly about AppLocker.

ISSUE​

When I ran my Для просмотра ссылки Войди или Зарегистрируйся I found that the file was writeable for any authenticated user.

I then looked at the ACL’s in Explorer just to verify.

This confirms that a standard authenticated user can write to and execute this file. If you have deployed Для просмотра ссылки Войди или Зарегистрируйся in your environment it will allow execution from the anything under the C:\Windows folder and than the mfgstat.zip becomes and issue because a standard user can then exploit this. To exploit this as a bypass the user has to add the contents of a binary file into an alternate datastream and then execute it. I have not been able to overwrite the zip file directly (might be possible). You can find various methods of doing alternate data stream adding and execution Для просмотра ссылки Войди или Зарегистрируйся. In this example I choose to execute autoruns.exe from Sysinternals. First I placed the autoruns.exe file inside c:\temp and then I used the following command to add it as an alternate data stream to the mfgstat.zip file:

type c:\temp\autoruns.exe > c:\windows\mfgstat.zip:this

After successfully adding it, I executed it using the Appvlp.exe (Для просмотра ссылки Войди или Зарегистрируйся) file using the following command

"C:\Program Files (x86)\Microsoft Office\root\Client\appvlp.exe" c:\Windows\mfgstat.zip:this

To make this more enjoyable I have created a quick video that shows it.

Story​

I originally made this discovery on a Lenovo machine I had back in 2019. I actually tweeted about it at the time: . Back then I thought this was just on my specific brand of Lenovo X1 Extreme, but once I rechecked this on my new Lenovo in 2025 I was surprised that I had the same issue there (). This time however I decided to send an email to the Lenovo PSIRT about it and see if they would fix it. They responded promptly, but they decided to not put out a fix, instead a guidance on how to remove it. From a corporate perspective I guess most companies perform their own deployment of operating systems and not rely on the operating system already present on the machine that comes default from Lenovo. Deploying the operating system based on the company standard image would remove this file since this is specific to the default Lenovo operating system image shipped with the machines.

FIX​

Lenovo provided a guidance for fixing this issue here: Для просмотра ссылки Войди или Зарегистрируйся. The guidance is simply to delete the C:\Windows\MFGSTAT.zip file using one of the three explained methods. If you are in a corporate environment you could also leverage Group Policy Preferences/SCCM or other tools to remove the file.

Conclusion​

My conclusion is that everyone should be checking their filesystems when you are deploying or have deployed AppLocker. It is really quick to miss out on small things like this. If you are more interested in AppLocker I did a webinar a while back that would be worth checking out. Hope you found this post useful.



Part 1:



Part 2:

Для просмотра ссылки Войди или Зарегистрируйся