CVE CyberSecurity Database News

CVE-2021-41526 - Privilege Escalation in Windows Installer (MSI) with InstallScript Custom Actions

Poster -

In 2021, researchers uncovered a dangerous vulnerability tracked as CVE-2021-41526 affecting the Windows Installer (MSI) technology—specifically, packages using InstallScript custom actions. This issue could allow a local attacker to escalate their privileges to SYSTEM, the highest level of access in Windows, just by running a repair operation on a vulnerable installer.

If you’re a developer shipping software through MSI packages, or an IT professional maintaining Windows-based environments, you need to understand this bug and how to fix or avoid it. This post breaks down how CVE-2021-41526 works, why it matters, and how attackers could exploit it—with code snippets and real-world examples.

What Is CVE-2021-41526?

When you install a program in Windows using an MSI package, the process may include Custom Actions—scripts or executables that perform extra steps during installation, update, or repair. One popular scripting engine for Custom Actions is InstallScript—provided by InstallShield.

The vulnerability happens because InstallScript custom actions run with elevated privileges during a repair operation, even if invoked by a low-privileged user. Additionally, attackers can trick the MSI repair process into running malicious code with SYSTEM-level permissions.

Privilege Escalation: Any local user could become an administrator or SYSTEM.

- Persistence: Attackers could use this to install rootkits, steal credentials, or disable security tools.

Exploit Details: How Attackers Abuse the Bug

The bug is in the way an MSI package’s InstallScript custom actions get executed during the repair process. By default, Windows allows any user to request a repair operation for a program installed per-machine (for all users), as long as the installer is present.

Exploit Scenario

1. Find a vulnerable MSI: Any application using InstallShield with InstallScript custom actions is potentially affected.
2. Place malicious files: Since custom actions frequently reference files from insecure locations (such as C:\ProgramData), a non-privileged user can add or replace these files.
3. Trigger repair: The attacker runs the msiexec /fa command to force a repair, telling Windows Installer to re-execute custom actions.
4. Get SYSTEM privilege: If the custom action references attacker-controlled data or files, they get executed as SYSTEM during the repair.

Code Snippet: Proof of Concept

Let’s look at a simplified example of how an attacker might exploit this.

Suppose you have a vulnerable MSI installed per-machine, with an InstallScript custom action running helper.exe from a writable folder.

Step 1: Malicious File Placement

:: Run as low-privilege attacker
copy C:\Users\Attacker\malware.exe "C:\ProgramData\VulnerableApp\helper.exe"

Step 2: Trigger the Repair

:: Launch repair with elevated privileges; runs as SYSTEM
msiexec /fa {ProductCode-of-VulnerableApp}

During the repair, the InstallScript custom action runs helper.exe—now replaced with malware.exe under SYSTEM.

Real Exploitation: A Closer Look

Attackers don’t need to break into the SYSTEM account up front. Because the MSI repair executes custom actions as SYSTEM, any process or script called there can grant SYSTEM privileges to a lower user.

Example: Custom Action in the MSI

<CustomAction Id="RunHelper"
              ExeCommand="helper.exe"
              Execute="deferred"
              Impersonate="no"
/>

If helper.exe is in a location where a regular user can write, they just swap in their own binary and trigger the repair.

Here’s a simple Python script that generates a SYSTEM shell using a replaced helper executable

import subprocess
import os

# Assume 'malware.exe' is a SYSTEM shell
malicious_path = r"C:\ProgramData\VulnerableApp\helper.exe"
os.system(f'copy malware.exe "{malicious_path}"')
subprocess.call(['msiexec', '/fa', '{ProductCode-of-VulnerableApp}'])

Official References and More Reading

- Original Advisory by Trend Micro ZDI
- NVD Entry for CVE-2021-41526
- Microsoft Documentation on Custom Actions
- InstallShield Community Reports

Update InstallShield: Use the latest version of InstallShield and apply vendor patches.

- Secure Custom Action Locations: Never run executables or scripts from folders writable by unprivileged users.
- Remove Unnecessary Custom Actions: Minimize use of InstallScript actions, or replace them with standard MSI actions when possible.
- Code Signing: Always sign your binaries, and validate signatures before launching them in custom actions.

Conclusion

CVE-2021-41526 is a serious, real-world Windows Installer vulnerability. It shows just how risky custom scripting in installers can be—especially when those scripts run with SYSTEM-level privileges without rigorous security checks.

If you’re a software vendor or a user, check the applications you install for this vulnerability. Patch your installers, audit your MSI packages, and make sure repair operations can’t be abused by attackers. Privilege escalation bugs like this one are a favorite gateway in real-world malware attacks.

Stay safe, and always test your installer security!

Further Reading:  
- Mitre CVE Entry  
- InstallShield Security Advisory  
- Detailed Research at ZDI

Timeline

Published on: 03/29/2023 21:15:00 UTC
Last modified on: 04/06/2023 19:34:00 UTC