Summary

The MSI installer for the CertClean Tool provided on the homepage https://blog.techygeekshome.info/wpdm-package/msi-downloader/ or directly https://blog.techygeekshome.info/wpdm-package/msi-downloader/?wpdmdl=32257&refresh=64c5cc91c61091690684561&ind=1675702268343&filename=MSI-Downloader.zip allows LPE for low privileged users, via the repair function.

Details

The problem occurs, as the repair function of the MSI is spawning a visible Internet Explorer running in System context. LPE is possible via a very simple breakout.

It seems that there is some kind of impersonate=no parameter for a custom action, which opens a link as the NT SYSTEM user.

Proof of Concept (PoC)

As a low privileged user do the following steps to reproduce:

• Locate the msi installer under c:\windows\installer\, or bring in a new one.

• Run the located installer with msiexec.exe /fa '.\MSI Downloader.msi'

• When the installer runs, note the pop up for links. This happens, as the SYSTEM account typically does not have a default browser set.

• Spawn a new SYSTEM cmd via: Internet Explorer -> CTRL+O -> cmd.exe

Impact

Local Elevation of Privileges. On every machine, where the msi installer still can be found or can be brought to.

Workaround / Fix

Remove the function or use an impersonation for the custom action, to leave the SYSTEM context and open the link in userspace.

Disclosure Timeline

2023-07-30: Vulnerability discovered
2023-07-30: Vulnerability reported to manufacturer
2023-07-30: Response from manufacturer explaining that the tool is uncared for a while
2023-10-11: Disclosure

References

• Cyvisory Responsible Disclosure Policy
• Cyvisory Advisory
• Product website
• Blogpost with more details

Credits

Found and reported by Matthias Zoellner from Cyvisory Group GmbH

E-Mail: [email protected]
Website: https://cyvisory.group

Disclaimer

The information provided in this security advisory is provided “as is” and without warranty of any kind.