Full Disclosure mailing list archives

The SEC Consult Vulnerability Lab published a new blog post titled:
"Microsoft Windows MSI Installer - Repair to SYSTEM - A detailed journey"
covering the recent Microsoft September 2024 patch for CVE-2024-38014.


Blog URL:
---------
https://r.sec-consult.com/msi


Author:
-------
Michael Baer, SEC Consult Vulnerability Lab


Abstract:
---------
This article by our researcher Michael Baer for the SEC Consult Vulnerability Lab
will explain different attacks against MSI installers and present an open-source
analyzer tool named "msiscan" in order to automatically detect potential security
issues. The main focus lies on an attack that abuses briefly opened command Windows
during program execution of the MSI installer in the GUI. While most available
public research on this topic tries to slow down the system in order to have
enough time for the attack, we will describe a technique to completely pause the
program execution. This simplifies the attack and makes it a lot more reliable.

MSI installers are a common way to install applications on Windows systems.
The MSI file format allows to create standardized installers that can install,
remove and repair software. While the installation and removal of software usually
requires elevated permissions, the repair function for already installed software
can be performed by a low-privileged user. The issued repair functions can, however,
be executed under the context of NT AUTHORITY\SYSTEM, a very high access right in
Windows. If an attacker is able to maliciously interfere with those functions, a
privilege escalation attack is possible.

This blog post mainly focuses on the vulnerability of visible elevated windows
during program execution. However, various other vulnerabilities can arise by an
insecurely developed installer. Our provided open-source tool "msiscan" tries to
give some more insights into an installer that can help identifying further
vulnerabilities.

Open-source tool "msiscan": https://github.com/sec-consult/msiscan



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
X: https://x.com/sec_consult

EOF Michael Baer / @2024

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

• SEC Consult blog :: Microsoft Windows MSI Installer - Repair to SYSTEM - A detailed journey (CVE-2024-38014) + msiscan tool release SEC Consult Vulnerability Lab via Fulldisclosure (Sep 16)