They're not easy to exploit, but with enough resources it can be done

Jan 19, 2012 14:29 GMT  ·  By
Some Windows installer files may allow a hacker to obtain elevated privileges
   Some Windows installer files may allow a hacker to obtain elevated privileges

A researcher from IOActive Labs presents an interesting issue that affects some Windows 7 or Windows 2008 installer files which could allow an attacker to elevate his own privileges and compromise the operating system.

Cesar Cerrudo reveals that the C:\Windows\Installer\ folder contains installer files from previously installed applications and even if the file names are random, once they’re executed, if they’re installers from Microsoft applications, they automatically escalate privileges and begin to install.

While in theory there shouldn’t be any problem, during the installation process a .dll file is loaded by the OSs msiexec.exe process with elevated privileges.

This may be considered a vulnerability since if the dll is replaced with a specially–crafted file, an attacker could obtain elevated privileges and execute his own piece of code.

However, before executing the dll file, msiexec.exe generates an MD5 hash and compares it to a known MD5 hash read from a file contained in the folder that stores the installers.

This means that in order to successfully exploit the weakness, an attacker would need to replace the dll file with one that contains exploit code that could match the valid hash.

“The problem is that this is not a simple attack—it’s an attack to the MD5 hashing algorithm referred to as a second-preimage attack for which there are no practical attacks that I know of, so it’s impossible for a regular attacker to generate a file with the same MD5 hash as the existing DLL file,” Cerrudo says.

On the other hand, he believes that someone with the cracking technologies and the resources of an intelligence agency would be able to pull off something like this.

“I don’t know why Microsoft continues using MD5; it has been banned by Microsoft SDL since 2005 and it seems there has been some component oversight or these components have been built without following SDL guidance. Who knows on what other functionality MD5 continues to be used by Microsoft, allowing abuse by intelligence agencies,” he concludes.

Here is a proof-of-concept video made by Cerrudo: