🍀 MSIFortune - Local Privilege Escalation with MSI Installers
MSI installers are still pretty alive today. It is a lesser known feature, that a low privileged user can start the repair function of an installation which will run with SYSTEM privileges. What could go wrong? Quite a lot!
The repair function often triggers CustomActions, which can lead to several potential issues:
— Visible conhost.exe via a cmd.exe or other console binaries
— Visible PowerShell
— Directly actions from the installer with SYSTEM privileges
— Executing binaries from user writable paths
— DLL sideloading / search path abusing
— Missing PowerShell parameters, mostly -NoProfile
— Execution of other tools in an unsafe manner
🌐 Details:
https://badoption.eu/blog/2023/10/03/MSIFortune.html
#windows #msi #lpe
MSI installers are still pretty alive today. It is a lesser known feature, that a low privileged user can start the repair function of an installation which will run with SYSTEM privileges. What could go wrong? Quite a lot!
The repair function often triggers CustomActions, which can lead to several potential issues:
— Visible conhost.exe via a cmd.exe or other console binaries
— Visible PowerShell
— Directly actions from the installer with SYSTEM privileges
— Executing binaries from user writable paths
— DLL sideloading / search path abusing
— Missing PowerShell parameters, mostly -NoProfile
— Execution of other tools in an unsafe manner
🌐 Details:
https://badoption.eu/blog/2023/10/03/MSIFortune.html
#windows #msi #lpe
🔥9❤1👍1
New article about privilege escalation via vulnerable MSI files. All roads lead to NT AUTHORIRTY\SYSTEM
🔗 Research:
https://cicada-8.medium.com/evil-msi-a-long-story-about-vulnerabilities-in-msi-files-1a2a1acaf01c
🔗 Source:
https://github.com/CICADA8-Research/MyMSIAnalyzer
#windows #msi #lpe
Please open Telegram to view this post
VIEW IN TELEGRAM
👍15🔥5❤4👏2