September 2024 Windows Updates brought a patch for CVE-2024-38014,
a privilege escalation vulnerability in Windows Installer that could allow a local low-privileged attacker to execute arbitrary code as Local System user.
Security researcher Michael Baer with SEC Consult Vulnerability Lab found this vulnerability and reported it to Microsoft. Subsequently they
also published an article detailing this vulnerability, which allowed us to create a micropatch for it.
The Vulnerability
This vulnerability is an addition to a series of Windows Installer security flaws that were found over the last few years (and patched by 0patch: [1, 2, 3, 4]). Most of these exploited the “repair” operation in one way or another, and so does this one. Its exploitability depends on a product being installed on the computer, whereby product’s installer has to fulfill a number of conditions described in SEC Consult’s article.
This vulnerability finally pushed Microsoft to create a patch that fixed not just this particular issue, but a whole class of issues that might result from non-admin users invoking the repair operation. After September 2024 update is applied, the repair operation on a product installed “for all users” requires administrative privileges. In case the user is a Windows administrator, the UAC (User Account Control) dialog is shown according to the computer’s UAC policy, otherwise the user is prompted for administrative credentials. Note that a non-admin can still perform the repair operation on a product installed “for this user only” without administrative privileges. This makes sense, as such operation does not include privileged actions that could be exploited.
Microsoft’s article describes the effects of the change: “When [Windows Installer] repairs an application, the User Account Control (UAC) does not
prompt for your credentials. After you install this update, the UAC will
prompt for them. Because of this, you must update your automation
scripts. Application owners must add the Shield icon. It indicates that
the process requires full administrator access. To turn off the UAC
prompt, set the HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsInstallerDisableLUAInRepair registry value to 1. The changes in this update might affect automatic Windows Installer repairs.”
Note that this fix also addresses a vulnerability in Windows Installer reported to Microsoft by Adrian Denkiewicz with Doyensec in December 2023, which Microsoft reportedly could not reproduce. This vulnerability also exploited the repair operation and the fact that some actions can be executed with elevated privileges, which a non-admin user could “hijack” to launch code as Local System.
Our Micropatch
Our micropatch is simpler but logically equivalent to Microsoft’s: it requires administrative privileges for all repair operations on products installed “for all users”.
The effect of this change is identical to that of Microsoft’s patch (see above) but in contrast to reverting this change with a registry value, our patch can be disabled either locally via 0patch Console or remotely via 0patch Central if needed.
Here’s the source code of our micropatch (note that in the title, the size of our micropatch is said to be “4 instructions”, which is true for some Windows versions; this particular one for 32-bit Windows 10 v2004 only needed two instructions.)
;XX-2369
MODULE_PATH “..AffectedModulesmsi.dll_5.0.19041.1415_Win10-2004_32-bit_u2021-12msi.dll”
PATCH_ID 1960
PATCH_FORMAT_VER 2
VULN_ID 7835
PLATFORM win32
patchlet_start
PATCHLET_ID 1
PATCHLET_TYPE 2
PATCHLET_OFFSET 0x1ddfb7
N_ORIGINALBYTES 5
JUMPOVERBYTES 0
PIT msi.dll!0x1de0a1
code_start
cmp eax, 0x2 ;check if the current operation is repair
je PIT_0x1de0a1 ;if yes, jump to the block that enables UAC
code_end
patchlet_end
Micropatch Availability
Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:
- Windows 11 v21H2 – fully updated
- Windows 10 v21H2 – fully updated
- Windows 10 v21H1 – fully updated
- Windows 10 v20H2 – fully updated
- Windows 10 v2004 – fully updated
- Windows 10 v1909 – fully updated
- Windows 10 v1809 – fully updated
- Windows 10 v1803 – fully updated
- Windows 7 – fully updated with no ESU, ESU 1, ESU 2 or ESU 3
- Windows Server 2012 (standard and R2) – fully udpated with no ESU
- Windows Server 2008 R2 – fully updated with no ESU, ESU 1, ESU 2, ESU 3 or ESU 4
Micropatches have already been distributed to, and applied on, all
affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).
Vulnerabilities like these get discovered on a regular basis, and
attackers know about them all. If you’re using Windows that aren’t
receiving official security updates anymore, 0patch will make sure these
vulnerabilities won’t be exploited on your computers – and you won’t
even have to know or care about these things.
If you’re new to 0patch, create a free account
in 0patch Central,
start a free trial, then install and register 0patch Agent. Everything
else will happen automatically. No computer reboot will be needed.
We would like to thank Michael Baer with SEC Consult Vulnerability Lab for sharing their analysis, which made it possible for us to create a
micropatch for this issue. We’d also like to thank Adrian Denkiewicz with Doyensec for sharing their analysis, which allowed us to confirm that our patch also fixes the vulnerability they had found.
To learn more about 0patch, please visit our Help Center.
Leave a Reply