Harry S Robins
2024-09-13 16:18:37 UTC
https://www.theregister.com/2024/09/12/worried_about_that_microsoft_installer/
In this week's Patch Tuesday Microsoft alerted users to, among other
vulnerabilities, a flaw in Windows Installer that can be exploited by
malware or a rogue user to gain SYSTEM-level privileges to hijack a PC.
The vulnerability, CVE-2024-38014, was spotted and privately disclosed by
security shop SEC Consult, which has now shared the full details of how
this attack works. The researcher has released an open source tool to scan
a system for Installer files that can be abused to elevate local
privileges.
Microsoft said the bug is already exploited, which may mean it acknowledges
that SEC Consult's exploit for the flaw works, or that bad people are
abusing this in the wild, or both. The software giant declined to comment
beyond what it had already stated in its Patch Tuesday advisories. Yes,
it's yet another privilege escalation bug but it's such a fun one that we
thought you'd be interested to know more.
The fix... Microsoft addressed this flaw by adding a UAC prompt before the
design flaw can be abused. This requires the user to have access to
administrator rights to complete the action, killing off the privilege
escalation pathway.
SECC researcher Michael Baer found the exploitable weakness in January.
Fixing it turned out to be a complex task and Microsoft asked for more time
to address it with a patch, which it implemented this week. The original
plan was to close the hole in May, but that slipped to this September for
technical reasons. Now Baer has written a blog post explaining exactly how
the attack works.
Essentially, a low privileged user opens an Installer package to repair
some already-installed code on a vulnerable Windows system. The user does
this by running an .msi file for a program, launching the Installer to
handle it, and then selecting the option to repair the program (eg, like
this). There is a brief opportunity to hijack that repair process, which
runs with full SYSTEM rights, and gain those privileges, giving much more
control over the PC.
When the repair process begins, a black command-line window opens up
briefly to run a Windows program called certutil.exe. Quickly right
clicking on the window's top bar and selecting "Properties" will stop the
program from disappearing and open a dialog box in which the user can click
on a web link labeled "legacy console mode." The OS will then prompt the
user to open a browser to handle that link. Select Firefox, ideally, to
handle that request.
Then in the browser, press Control-O to open a file, type cmd.exe in the
top address bar of the dialog box, hit Enter, and bam - you've got a
command prompt as SYSTEM. That's because the Installer spawned the browser
with those rights from that link.
If the initial window closes too fast, the rogue user can use SetOpLock.exe
to lock the application being fixed, which will cause the process to stall
and the window to be left visible, although it's not a perfect technique.
"The SetOpLock trick can pause the execution of the command," writes Baer.
"However, we need a file that will be read by the process and blocks the
closing of the window. We encountered applications where we did not find a
way to block the window."
In this week's Patch Tuesday Microsoft alerted users to, among other
vulnerabilities, a flaw in Windows Installer that can be exploited by
malware or a rogue user to gain SYSTEM-level privileges to hijack a PC.
The vulnerability, CVE-2024-38014, was spotted and privately disclosed by
security shop SEC Consult, which has now shared the full details of how
this attack works. The researcher has released an open source tool to scan
a system for Installer files that can be abused to elevate local
privileges.
Microsoft said the bug is already exploited, which may mean it acknowledges
that SEC Consult's exploit for the flaw works, or that bad people are
abusing this in the wild, or both. The software giant declined to comment
beyond what it had already stated in its Patch Tuesday advisories. Yes,
it's yet another privilege escalation bug but it's such a fun one that we
thought you'd be interested to know more.
The fix... Microsoft addressed this flaw by adding a UAC prompt before the
design flaw can be abused. This requires the user to have access to
administrator rights to complete the action, killing off the privilege
escalation pathway.
SECC researcher Michael Baer found the exploitable weakness in January.
Fixing it turned out to be a complex task and Microsoft asked for more time
to address it with a patch, which it implemented this week. The original
plan was to close the hole in May, but that slipped to this September for
technical reasons. Now Baer has written a blog post explaining exactly how
the attack works.
Essentially, a low privileged user opens an Installer package to repair
some already-installed code on a vulnerable Windows system. The user does
this by running an .msi file for a program, launching the Installer to
handle it, and then selecting the option to repair the program (eg, like
this). There is a brief opportunity to hijack that repair process, which
runs with full SYSTEM rights, and gain those privileges, giving much more
control over the PC.
When the repair process begins, a black command-line window opens up
briefly to run a Windows program called certutil.exe. Quickly right
clicking on the window's top bar and selecting "Properties" will stop the
program from disappearing and open a dialog box in which the user can click
on a web link labeled "legacy console mode." The OS will then prompt the
user to open a browser to handle that link. Select Firefox, ideally, to
handle that request.
Then in the browser, press Control-O to open a file, type cmd.exe in the
top address bar of the dialog box, hit Enter, and bam - you've got a
command prompt as SYSTEM. That's because the Installer spawned the browser
with those rights from that link.
If the initial window closes too fast, the rogue user can use SetOpLock.exe
to lock the application being fixed, which will cause the process to stall
and the window to be left visible, although it's not a perfect technique.
"The SetOpLock trick can pause the execution of the command," writes Baer.
"However, we need a file that will be read by the process and blocks the
closing of the window. We encountered applications where we did not find a
way to block the window."