Product MSI Downloader
Vendor TechyGeeksHome
Affected Versions <= 1.6
Tested Versions 1.6
Subject Improper Privilege Management - CWE-269
Risk Level Medium
Solution Status unfixed
Manufacturer Notification Jul 30 2023
Solution Date
Public Disclosure Oct 11 2023
CVE Reference
Author Matthias Zöllner, Cyvisory Group GmbH


The MSI installer for the CertClean Tool provided on the homepage or directly allows LPE for low privileged users, via the repair function.


The problem occurs, as the repair function of the MSI is spawning a visible Internet Explorer running in System context. LPE is possible via a very simple breakout.

It seems that there is some kind of impersonate=no parameter for a custom action, which opens a link as the NT SYSTEM user.

Proof of Concept (PoC)

As a low privileged user do the following steps to reproduce:

  • Locate the msi installer under c:\windows\installer\, or bring in a new one.

  • Run the located installer with msiexec.exe /fa '.\MSI Downloader.msi'

  • When the installer runs, note the pop up for links. This happens, as the SYSTEM account typically does not have a default browser set.

  • Spawn a new SYSTEM cmd via: Internet Explorer -> CTRL+O -> cmd.exe

Alt text Alt text


Local Elevation of Privileges. On every machine, where the msi installer still can be found or can be brought to.

Workaround / Fix

Remove the function or use an impersonation for the custom action, to leave the SYSTEM context and open the link in userspace.

Disclosure Timeline

2023-07-30: Vulnerability discovered
2023-07-30: Vulnerability reported to manufacturer
2023-07-30: Response from manufacturer explaining that the tool is uncared for a while
2023-10-11: Disclosure



Found and reported by Matthias Zoellner from Cyvisory Group GmbH

E-Mail: [email protected]


The information provided in this security advisory is provided “as is” and without warranty of any kind.