About that Windows Installer 'make me admin' security hole. Here's how it's exploited

In this week's Patch Tuesday Microsoft alerted users to, among other vulnerabilities, a flaw in Windows Installer that can be exploited by malware or a rogue user to gain SYSTEM-level privileges to hijack a PC.

The vulnerability, CVE-2024-38014, was spotted and privately disclosed by security shop SEC Consult, which has now shared the full details of how this attack works. The researcher has released an open source tool to scan a system for Installer files that can be abused to elevate local privileges.

Microsoft said the bug is already exploited, which may mean it acknowledges that SEC Consult's exploit for the flaw works, or that bad people are abusing this in the wild, or both. The software giant declined to comment beyond what it had already stated in its Patch Tuesday advisories. Yes, it's yet another privilege escalation bug but it's such a fun one that we thought you'd be interested to know more.

SECC researcher Michael Baer found the exploitable weakness in January. Fixing it turned out to be a complex task and Microsoft asked for more time to address it with a patch, which it implemented this week. The original plan was to close the hole in May, but that slipped to this September for technical reasons. Now Baer has written a blog post explaining exactly how the attack works.

Essentially, a low privileged user opens an Installer package to repair some already-installed code on a vulnerable Windows system. The user does this by running an .msi file for a program, launching the Installer to handle it, and then selecting the option to repair the program (eg, like this). There is a brief opportunity to hijack that repair process, which runs with full SYSTEM rights, and gain those privileges, giving much more control over the PC.

When the repair process begins, a black command-line window opens up briefly to run a Windows program called certutil.exe. Quickly right clicking on the window's top bar and selecting "Properties" will stop the program from disappearing and open a dialog box in which the user can click on a web link labeled "legacy console mode." The OS will then prompt the user to open a browser to handle that link. Select Firefox, ideally, to handle that request.

Then in the browser, press Control-O to open a file, type cmd.exe in the top address bar of the dialog box, hit Enter, and bam – you've got a command prompt as SYSTEM. That's because the Installer spawned the browser with those rights from that link.

If the initial window closes too fast, the rogue user can use SetOpLock.exe to lock the application being fixed, which will cause the process to stall and the window to be left visible, although it's not a perfect technique.

"The SetOpLock trick can pause the execution of the command," writes Baer. "However, we need a file that will be read by the process and blocks the closing of the window. We encountered applications where we did not find a way to block the window."

• Microsoft says it broke some Windows 10 patching – as it fixes flaws under attack
• Cisco's Smart Licensing Utility flaws suggest it's pretty dumb on security
• WhatsApp's 'View Once' could be 'View Whenever' due to a flaw
• Proof-of-concept code released for zero-click critical IPv6 Windows hole

There are some caveats. SEC Consult says: "This attack does not work using a recent version of the Edge browser or Internet Explorer. Also make sure that Edge or IE have not been set as default browser for the system user and that Firefox or Chrome are not running before attempting to exploit it." Secondly, not all .msi files are exploitable.

Manually checking each installer package to see if it's exploitable requires admin access and most administrators are short of time as it is. So SECC has developed that aforementioned open source Python package, dubbed msiscan, to do the job automatically.

While the issue is now patched by Microsoft, there's going to be a long tail of users who don't get around to it immediately. So scan or patch, or do both. ®