About Elevation of Privilege – Windows Installer (CVE-2024-38014) vulnerability. The vulnerability was fixed on September 11 as part of the September Microsoft Patch Tuesday. It was discovered by Michael Baer from SEC Consult. On September 12, a post was published in their blog with exploitation details.
MSI files are the standard way to install, repair, and uninstall programs in Windows. Installation requires high privileges. But the repair function can be launched by a low-privileged user. At the same time, the function itself might be executed in the context of NT AUTHORITY\SYSTEM. 🤔
The attacker launches the MSI file of an installed application, selects repair mode, and interacts with the console window launched with SYSTEM privileges. After a few steps, attacker gets an interactive SYSTEM console.
The Microsoft fix activates a UAC prompt when the MSI installer performs an action with elevated privileges, i.e. before the console window appears.
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.