back to article About that Windows Installer 'make me admin' security hole. Here's how it's exploited

In this week's Patch Tuesday Microsoft alerted users to, among other vulnerabilities, a flaw in Windows Installer that can be exploited by malware or a rogue user to gain SYSTEM-level privileges to hijack a PC. The vulnerability, CVE-2024-38014, was spotted and privately disclosed by security shop SEC Consult, which has now …

  1. Youngdog

    msiscan in github

    A python script that runs on Linux. That's great, unless you are windows-only admin in prod ops. The sort of people that need this most. Now I have to stay up all night and figure out how I'm going to do this in PowerShell.

    1. sitta_europea Silver badge

      Re: msiscan in github

      "A python script that runs on Linux. ..."

      Don't worry - it doesn't.

    2. Anonymous Coward
      Anonymous Coward

      Re: msiscan in github

      That was my immediate thought - why would you not do this in Powershell when it's an issue on Windows? Very odd.

    3. An_Old_Dog Silver badge

      Re: msiscan in github

      Instead of rewriting it in PowerShell, perhaps you could install a read-only copy of Python to an appropriate network share.

      1. AndrueC Silver badge
        Meh

        Re: msiscan in github

        Installing extra software adds risk. PowerShell is already installed.

        1. JLV

          Re: msiscan in github

          because a Powershell script you install will itself be safe by default, without needing to look it over?

          1. Alan_Peery

            Re: msiscan in github

            The point of Python being an additional attack service is true regardless of the need to read and verify *either* script.

    4. JamesTGrant Bronze badge

      Re: msiscan in github

      Not sure if serious or not. However there is a Python for windows installer.

      https://www.python.org/downloads/windows/

      You could even wrap the install, script execution, and subsequent Python uninstall in a PowerShell script. I bet ChatGPT could smash that out in a one sentence prompt.

      Not trying to be snarky - hopefully helpful.

  2. Alan W. Rateliff, II

    Launching programs with elevated privileges after installation

    While this obviously takes it to a whole new level, I have seen similar problems with program installations with the "Launch (app name)" after installation (or updating) completes. In many cases, it leads to a running program which cannot interact with user-context activities, such as accessing a user's mapped drives or dragging and dropping from an Explorer window, etc. For my purposes, this has always been an annoyance, never considering under what user context the launched program was running.

    Also, I though we blocked the ability to launch programs like CMD.EXE and COMMAND.COM from a browser back in the 1999 when people were using the file:// URI to break out of kiosks and similarly locked-down systems. Should we also shame Firefox for kicking security vulnerabilities old-school?

    (I remember using this trick on billing and sales kiosks at ComCast and Sprint stores in the mall to do silly things.)

    1. Dan 55 Silver badge

      Re: Launching programs with elevated privileges after installation

      I just tried to open C:\WINDOWS\System32\cmd.exe in Firefox and it didn't open the command prompt but asked if I wanted to download the file. I also tried to furtle the settings but I couldn't find a way of making exe files launch instead of download.

      Maybe launching Firefox as System makes it set up a new profile with defaults which allows this, who knows...

      1. AMBxx Silver badge
        Boffin

        Re: Launching programs with elevated privileges after installation

        No, you're typing in the wrong place.

        It's File | Open

        Then, in the address bar (not the file name box) type cmd.exe (not ./cmd.exe).

        CMD opens.

        1. Dan 55 Silver badge

          Re: Launching programs with elevated privileges after installation

          Well, there's a thing.

          This seems to be a Windows "feature", Notepad also does it.

          1. Dan 55 Silver badge

            Re: Launching programs with elevated privileges after installation

            As does Edge if you use the CTRL-O shortcut to get the File Open dialog box.

            1. This post has been deleted by its author

            2. AndrueC Silver badge
              Facepalm

              Re: Launching programs with elevated privileges after installation

              Ouch. It's not actually the calling application doing the open - it's the dialog box.

              1. Dan 55 Silver badge

                Re: Launching programs with elevated privileges after installation

                Indeed, and why on earth is this even a thing? It causes problems as soon as you run a GUI program as another user.

                I suspect spaghetti code shared between Explorer and the File dialog box.

          2. Elongated Muskrat Silver badge

            Re: Launching programs with elevated privileges after installation

            It seems to be that the installer launches the browser as an elevated process, and that the browser then uses the Windows standard file dialog (in the same user context), which itself has a flaw which allows the user to run an arbitrary command through the address bar.

            It's a bit unfair to single out Firefox in this instance, since it is doing exactly what it has been asked to do (open a web page in a specific user context) and then has allowed the user to do something else sensible (use the standard Windows dialog to get a file to open when the user asks to open a file).

            There are two pretty obvious flaws here:

            1) The installer (running as an admin user) uses that user context to open the browser, and not the user context of the user that started the installer (presumably before being asked for admin credentials). That's a flaw in the installer, or the installer tooling that allows this; essentially using its elevated credentials to fire off an arbitrary external process. On this note, I wonder what would happen if the user were to set any other arbitrary program as the system's default browser? Would that get launched with admin credentials?

            2) The system file open dialog allows the user to do things other than just select a file. That's an example of unwanted "feature creep". In this case, it's allowing the user to launch an arbitrary third process (cmd.com). It also allows other things like directory creation, that are not strictly file-opening related.

  3. MiguelC Silver badge

    In the late 90's I found a similar exploit using McAffee's start-up process. It ran a batch file with system privileges so Windows helpfully opened a DOS window - if you CTRL-C'ed that window, you'd get a DOS console with admin rights!

  4. JLV

    Is Google Search getting seriously dumber?

    I was wondering about the "Linux script" rant and decided to look it for myself.

    My exact search was `"msiscan" github`, after Google first "corrected" the repo name for me.

    Google replies: "It looks like there aren't many great matches for your search" although it does find this article along the way.

    Bing - shudder - finds it right away.

    What the eff? Not the first time Google drops the ball. Are they losing their lead while faffing over LLM-powered searches?

    p.s. the reason for Python-on-WSL is that the script relies on some apt-installed package, `msitools`.

    https://github.com/sec-consult/msiscan

    > Install the (apt) package msitools. It contains msiinfo and msiextract that are needed as well.

  5. IGotOut Silver badge
    Pint

    I have to say ..

    ...forget slagging off MS, buy this person a pint. That is one heck of an convoluted way to find a flaw!

  6. FF22

    "What kind of OS can be hijacked by clicking a link at just the right time?"

    Any. We've had protocol handler and browser engine vulnerabilities also both on Linux, macOS and Android, for ages, and in hundreds of instances.

  7. RedGreen925 Bronze badge

    Ahhhh, Microsoft code the gift that just keeps on giving to all the scumbags out for a quick exploit. So sad it has been true for decades now yet these clowns still use it and pay good money for the privilege.

  8. Kiss

    Cyber security industry

    Imagine how small the Cyber security industry would be if no one used Windows OS. Not zero, but enough to make an impression on every IT budget to allow investments in tech that actually improves an organisation's efficiency and competitiveness.

    1. Elongated Muskrat Silver badge

      Re: Cyber security industry

      Imagine what would happen if MS had not existed. Someone else's OS would have become the de facto OS used by businesses. The same marketing and sales people would have taken over, and added ill thought-out "features" to that instead. Meanwhile, black-hats, not having Windows as the main target to focus on, would have gone round finding software flaws in whatever the mainstream OS that took its place would be. If you think Microsoft's offerings are unusual in the number of programming flaws that make it to production, I have news for you about the nature of software development. In some ways, MS development processes are quite well thought-out, so the chances are that what we'd have instead would be a lot less disciplined, and hence a lot worse.

      Having said all that, I have no particular love for MS, but blaming them for the existence of software flaws is going a bit too far. Windows is full of badly-written bloatware, yes, but I raise you SYSTEMD.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like