The SEC Consult Vulnerability Lab published a new blog post titled: "Microsoft Windows MSI Installer - Repair to SYSTEM - A detailed journey" covering the recent Microsoft September 2024 patch for CVE-2024-38014. Blog URL: --------- https://r.sec-consult.com/msi Author: ------- Michael Baer, SEC Consult Vulnerability Lab Abstract: --------- This article by our researcher Michael Baer for the SEC Consult Vulnerability Lab will explain different attacks against MSI installers and present an open-source analyzer tool named "msiscan" in order to automatically detect potential security issues. The main focus lies on an attack that abuses briefly opened command Windows during program execution of the MSI installer in the GUI. While most available public research on this topic tries to slow down the system in order to have enough time for the attack, we will describe a technique to completely pause the program execution. This simplifies the attack and makes it a lot more reliable. MSI installers are a common way to install applications on Windows systems. The MSI file format allows to create standardized installers that can install, remove and repair software. While the installation and removal of software usually requires elevated permissions, the repair function for already installed software can be performed by a low-privileged user. The issued repair functions can, however, be executed under the context of NT AUTHORITY\SYSTEM, a very high access right in Windows. If an attacker is able to maliciously interfere with those functions, a privilege escalation attack is possible. This blog post mainly focuses on the vulnerability of visible elevated windows during program execution. However, various other vulnerabilities can arise by an insecurely developed installer. Our provided open-source tool "msiscan" tries to give some more insights into an installer that can help identifying further vulnerabilities. Open-source tool "msiscan": https://github.com/sec-consult/msiscan ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: https://blog.sec-consult.com X: https://x.com/sec_consult EOF Michael Baer / @2024
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/