Wednesday, April 19, 2023

Micropatches for Local Privilege Escalation in Microsoft Installer (CVE-2023-21800)


February 2023 Windows Updates brought a fix for CVE-2023-21800, a vulnerability in Windows Installer that allows a local low-privileged attacker to run their code as Local System. The vulnerability was reported to Microsoft  by Adrian Denkiewicz with Doyensec. Adrian subsequently wrote an article detailing the vulnerability, which allowed us to reproduce it and create a patch for our users.

The vulnerability is in one sense a typical symbolic link issue, the types of which we've been seeing in abundance in the past years, but it is also interesting because it includes a privileged process (msiexec.exe running as Local System) inheriting environment variables from the attacker's parent process. This is something we haven't seen before and it could generally be exploited in different interesting ways.

Adrian decided to exploit it by redefining the PROGRAMDATA environment variable and thereby "redirect the “All Users” profile to the arbitrary location which is writable by the [local attacker]." Installation of a product for all users usually includes creating files in All Users' Start Menu folder - which is normally write-protected against a local non-admin user, but by redirecting this folder to an attacker-controller location allows the attacker to create a symlink there and wait for the installer process to use this symlink. If the symlink points to some system file, this effectively means the installer process (running as Local System) will delete such system file.

Arbitrary file deletion can be turned into arbitrary code execution as Local System, as was first shown by Jonas Lykkegård in 2020 using Windows Error Reporting Service, and subsequently also by Abdelhamid Naceri using Windows Installer.

While still-supported Windows systems have already received an official vendor fix for this vulnerability, there are Windows systems out there that aren't receiving security fixes from Microsoft anymore. In order to protect these systems, we have created our own micropatches for this vulnerability, which are available through the 0patch service.

Our patches add a check to the affected code to see if the path used for deleting a file contains a symlink. If it does, the operation is blocked (the file is not deleted).


Micropatch Availability

The micropatch was written for the following security-adopted versions of Windows with all available Windows Updates installed:

  1. Windows 10 v2004
  2. Windows 10 v1909
  3. Windows 10 v1809
  4. Windows 10 v1803
  5. Windows 7 (without ESU, with ESU year 1, and with ESU year 2)
  6. Windows Server 2008 R2 (without ESU, with ESU year 1, and with ESU year 2)

This micropatch has already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that). 

Vulnerabilities like this one get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com, and email sales@0patch.com for a trial. Everything else will happen automatically. No computer reboot will be needed.

To learn more about 0patch, please visit our Help Center

We'd like to thank Adrian Denkiewicz with Doyensec for sharing their POC, which allowed us to create a micropatch and protect our users against this attack. We also encourage all security researchers to privately share their analyses with us for micropatching.