Back to list
Defense in depth -- the Microsoft way (part 32): yet another (trivial) UAC bypass resp. privilege escalation
Sep 04 2015 06:18PM
Stefan Kanthak (stefan kanthak nexgo de)
in <http://seclists.org/fulldisclosure/2013/Sep/132> I showed an
elaborated way for privilege elevation using IExpress (and other
self-extracting) installers containing *.MSI or *.MSP which works
"in certain situations".
Microsoft addressed this vulnerability with
In <http://seclists.org/fulldisclosure/2013/Oct/5> I showed an
indirect way for privilege elevation using IExpress installers
and "binary planting".
But there's a direct way too: just call any IExpress installer
(the Microsoft download center offers plenty of them) with a
command line of your choice, for example
CAPICOM-KB931906-v2102.exe /C:"%COMSPEC% /K Title PWNED!"
Due to UACs installer detection the given command line is executed
with full administrative privileges.
PS: this attack vector can be (ab)used with WSUS(pect)!
Using legitimate IExpress packages like CAPICOM-KB931906-v2102.exe,
RvkRoots.exe (cf. <https://support.microsoft.com/en-us/kb/3050995>)
or RootsUpd-KB931125-*.exe which are distributed per Windows Update
has the advantage that the clients %SystemRoot%\WindowsUpdate.log
and their %SystemRoot%\SoftwareDistribution\Download folder dont
show telltale signs of 3rd party executables (as used/proposed by
the authors of WSUSpect).
JFTR: I *love* security fixes which are vulnerable themself.
[ reply ]
Copyright 2010, SecurityFocus