Microsoft has patched a vulnerability in the Windows Installer that allows malware or rogue users to gain SYSTEM-level privileges and hijack a PC. The flaw, identified as CVE-2024-38014, was privately disclosed by SEC Consult, which has also released an open-source tool to scan for installer files that can be exploited.
The vulnerability is a privilege escalation bug that occurs when a low-privileged user runs an .msi file and selects the option to repair the program. A brief opportunity arises to hijack the repair process, which runs with full SYSTEM rights, allowing the attacker to gain those privileges and take control of the PC.
To exploit this flaw, an attacker would need to trick a user into right-clicking on a black command-line window that appears during the repair process, selecting “Properties,” and clicking on a web link labeled “legacy console mode.” The OS will then prompt the user to open a browser to handle that request. Once in the browser, the attacker can use Control-O to open a file dialog box, type cmd.exe in the top address bar, hit Enter, and gain access to a command prompt with SYSTEM-level privileges.
Microsoft has released a patch for this vulnerability, but users who do not immediately apply the update are still at risk. To help administrators identify vulnerable installer files, SEC Consult has developed an open-source Python package called msiscan that can automatically scan for exploitable .msi files.
In summary, the Windows Installer ‘Make Me Admin’ flaw is a privilege escalation bug that allows attackers to gain SYSTEM-level privileges and hijack a PC by exploiting a brief opportunity during the repair process. The vulnerability has been patched, but users who do not immediately apply the update are still at risk.
Source: https://www.theregister.com/2024/09/12/worried_about_that_microsoft_installer/