Summary
The MSI installer provided on the homepage allows LPE for low privileged users, if allready installed.
Details
The problem occurs, as the repair function of the MSI is spawning two administratice cmds. If catched, a simple LPE is possible via a very simple breakout.
PoC
As a low privileged user do the following steps to reproduce.
-
Locate the msi installer under c:\windows\installer\ . The Installer get cached here for almost forever. To easily locate the installer, use either the timestamp or the script from Mandiant: https://raw.githubusercontent.com/mandiant/msi-search/main/msi_search.ps1
-
Run the located installer with
msiexec.exe /fa C:\Windows\Installer\2847d63.msi
-
When the installer runs, note that there are two cmd windows flickering.
-
Catch the cmd, by quickly selecting some text
-
Spawn a new SYSTEM cmd via: cmd -> properties -> "legacy console mode" Link -> Internet Explorer -> STRG+O -> cmd.exe
Impact
Local Elevation of Privileges. On every machine, where the msi installer still can be found. Rolling out the software via SCCM typically also keeps the msi file.
Notes
Please let me know, if you have any questions here and keep me updated about the progress and if you can replicate this.
I would like to get a CVE assigned for this, if you agree.
Best Regards,
Matthias Zoellner
CYVISORY GROUP
Summary
The MSI installer provided on the homepage allows LPE for low privileged users, if allready installed.
Details
The problem occurs, as the repair function of the MSI is spawning two administratice cmds. If catched, a simple LPE is possible via a very simple breakout.
PoC
As a low privileged user do the following steps to reproduce.
Locate the msi installer under
c:\windows\installer\. The Installer get cached here for almost forever. To easily locate the installer, use either the timestamp or the script from Mandiant: https://raw.githubusercontent.com/mandiant/msi-search/main/msi_search.ps1Run the located installer with
msiexec.exe /fa C:\Windows\Installer\2847d63.msiWhen the installer runs, note that there are two cmd windows flickering.
Catch the cmd, by quickly selecting some text
Spawn a new SYSTEM cmd via: cmd -> properties -> "legacy console mode" Link -> Internet Explorer -> STRG+O -> cmd.exe
Impact
Local Elevation of Privileges. On every machine, where the msi installer still can be found. Rolling out the software via SCCM typically also keeps the msi file.
Notes
Please let me know, if you have any questions here and keep me updated about the progress and if you can replicate this.
I would like to get a CVE assigned for this, if you agree.
Best Regards,
Matthias Zoellner
CYVISORY GROUP