MSIFortune - Local Privilege Escalation with MSI Installers
The repair function often triggers CustomActions, which can lead to several potential issues:
— Visible conhost.exe via a cmd.exe or other console binaries
— Visible PowerShell
— Directly actions from the installer with SYSTEM privileges
— Executing binaries from user writable paths
— DLL sideloading / search path abusing
— Missing PowerShell parameters, mostly -NoProfile
— Execution of other tools in an unsafe manner
Details:
The repair function often triggers CustomActions, which can lead to several potential issues:
— Visible conhost.exe via a cmd.exe or other console binaries
— Visible PowerShell
— Directly actions from the installer with SYSTEM privileges
— Executing binaries from user writable paths
— DLL sideloading / search path abusing
— Missing PowerShell parameters, mostly -NoProfile
— Execution of other tools in an unsafe manner
Details:
MSIFortune - LPE with MSI Installers
MSIFortune - LPE with MSI Installers or MSI - Might (be) stupid idea MSI installers are still pretty alive today. It is a lesser known feature, that a low privileged user can start the repair function of an installation which will run with SYSTEM privileges. What could go wrong? Quite a lot!
badoption.eu