News: 1726140615

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

About that Windows Installer 'make me admin' security hole. Here's how it's exploited

(2024/09/12)


In this week's Patch Tuesday Microsoft alerted users to, among other vulnerabilities, a flaw in Windows Installer that can be exploited by malware or a rogue user to gain SYSTEM-level privileges to hijack a PC.

The [1]vulnerability , CVE-2024-38014, was spotted and privately disclosed by security shop SEC Consult, which has now shared the full details of how this attack works. The researcher has released an open source tool to scan a system for Installer files that can be abused to elevate local privileges.

Microsoft said the bug is already exploited, which may mean it acknowledges that SEC Consult's exploit for the flaw works, or that bad people are abusing this in the wild, or both. The software giant declined to comment beyond what it had already stated in its Patch Tuesday advisories. Yes, it's yet another privilege escalation bug but it's such a fun one that we thought you'd be interested to know more.

[2]

SECC researcher Michael Baer found the exploitable weakness in January. Fixing it turned out to be a complex task and Microsoft asked for more time to address it with a patch, which it implemented [3]this week . The original plan was to close the hole in May, but that slipped to this September for technical reasons. Now Baer has written a [4]blog post explaining exactly how the attack works.

[5]

[6]

Essentially, a low privileged user opens an Installer package to repair some already-installed code on a vulnerable Windows system. The user does this by running an .msi file for a program, launching the Installer to handle it, and then selecting the option to repair the program (eg, [7]like this ). There is a brief opportunity to hijack that repair process, which runs with full SYSTEM rights, and gain those privileges, giving much more control over the PC.

When the repair process begins, a black command-line window opens up briefly to run a Windows program called certutil.exe. Quickly right clicking on the window's top bar and selecting "Properties" will stop the program from disappearing and open a dialog box in which the user can click on a web link labeled "legacy console mode." The OS will then prompt the user to open a browser to handle that link. Select Firefox, ideally, to handle that request.

[8]

Then in the browser, press Control-O to open a file, type cmd.exe in the top address bar of the dialog box, hit Enter, and bam – you've got a command prompt as SYSTEM. That's because the Installer spawned the browser with those rights from that link.

If the initial window closes too fast, the rogue user can use SetOpLock.exe to lock the application being fixed, which will cause the process to stall and the window to be left visible, although it's not a perfect technique.

"The SetOpLock trick can pause the execution of the command," writes Baer. "However, we need a file that will be read by the process and blocks the closing of the window. We encountered applications where we did not find a way to block the window."

[9]Microsoft says it broke some Windows 10 patching – as it fixes flaws under attack

[10]Cisco's Smart Licensing Utility flaws suggest it's pretty dumb on security

[11]WhatsApp's 'View Once' could be 'View Whenever' due to a flaw

[12]Proof-of-concept code released for zero-click critical IPv6 Windows hole

There are some caveats. SEC Consult says: "This attack does not work using a recent version of the Edge browser or Internet Explorer. Also make sure that Edge or IE have not been set as default browser for the system user and that Firefox or Chrome are not running before attempting to exploit it." Secondly, not all .msi files are exploitable.

Manually checking each installer package to see if it's exploitable requires admin access and most administrators are short of time as it is. So SECC has developed that aforementioned open source Python package, dubbed [13]msiscan , to do the job automatically.

[14]

While the issue is now patched by Microsoft, there's going to be a long tail of users who don't get around to it immediately. So scan or patch, or do both. ®

Get our [15]Tech Resources



[1] https://www.theregister.com/2024/09/11/patch_tuesday_september_2024/

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZuMQI7ohtnBbGrLsxKYSaQAAAlQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38014

[4] https://sec-consult.com/blog/detail/msi-installer-repair-to-system-a-detailed-journey/

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZuMQI7ohtnBbGrLsxKYSaQAAAlQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZuMQI7ohtnBbGrLsxKYSaQAAAlQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[7] https://learn.microsoft.com/en-us/visualstudio/install/repair-visual-studio?view=vs-2022

[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZuMQI7ohtnBbGrLsxKYSaQAAAlQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[9] https://www.theregister.com/2024/09/11/patch_tuesday_september_2024/

[10] https://www.theregister.com/2024/09/05/cisco_smart_licensing_utility_flaws/

[11] https://www.theregister.com/2024/09/09/whatsapp_view_once_flaw/

[12] https://www.theregister.com/2024/08/28/proofofconcept_code_released_for_zeroclick/

[13] https://github.com/sec-consult/msiscan

[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZuMQI7ohtnBbGrLsxKYSaQAAAlQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[15] https://whitepapers.theregister.com/



msiscan in github

Youngdog

A python script that runs on Linux. That's great, unless you are windows-only admin in prod ops. The sort of people that need this most. Now I have to stay up all night and figure out how I'm going to do this in PowerShell.

Re: msiscan in github

sitta_europea

"A python script that runs on Linux. ..."

Don't worry - it doesn't.

Re: msiscan in github

Anonymous Coward

That was my immediate thought - why would you not do this in Powershell when it's an issue on Windows? Very odd.

Re: msiscan in github

An_Old_Dog

Instead of rewriting it in PowerShell, perhaps you could install a read-only copy of Python to an appropriate network share.

Launching programs with elevated privileges after installation

Alan W. Rateliff, II

While this obviously takes it to a whole new level, I have seen similar problems with program installations with the "Launch (app name)" after installation (or updating) completes. In many cases, it leads to a running program which cannot interact with user-context activities, such as accessing a user's mapped drives or dragging and dropping from an Explorer window, etc. For my purposes, this has always been an annoyance, never considering under what user context the launched program was running.

Also, I though we blocked the ability to launch programs like CMD.EXE and COMMAND.COM from a browser back in the 1999 when people were using the file:// URI to break out of kiosks and similarly locked-down systems. Should we also shame Firefox for kicking security vulnerabilities old-school?

(I remember using this trick on billing and sales kiosks at ComCast and Sprint stores in the mall to do silly things.)

Re: Launching programs with elevated privileges after installation

Dan 55

I just tried to open C:\WINDOWS\System32\cmd.exe in Firefox and it didn't open the command prompt but asked if I wanted to download the file. I also tried to furtle the settings but I couldn't find a way of making exe files launch instead of download.

Maybe launching Firefox as System makes it set up a new profile with defaults which allows this, who knows...

Re: Launching programs with elevated privileges after installation

AMBxx

No, you're typing in the wrong place.

It's File | Open

Then, in the address bar (not the file name box) type cmd.exe (not ./cmd.exe).

CMD opens.

Re: Launching programs with elevated privileges after installation

Dan 55

Well, there's a thing.

Obviously the exact same logic should be reimplemented in Rust to fix this. /s

MiguelC

In the late 90's I found a similar exploit using McAffee's start-up process. It ran a batch file with system privileges so Windows helpfully opened a DOS window - if you CTRL-C'ed that window, you'd get a DOS console with admin rights!

A language that doesn't affect the way you think about programming is
not worth knowing.