CVE-2022-21908 - Windows Installer Elevation of Privilege Vulnerability – Deep Dive, Exploit, and How to Stay Safe

---

Introduction

On January 11, 2022, Microsoft disclosed multiple security vulnerabilities as part of their Patch Tuesday updates. Among these, CVE-2022-21908 stands out for its potential to allow attackers to gain elevated privileges using the Windows Installer service. This means that even if an attacker has only limited access to a Windows computer, they could use this vulnerability to achieve administrator rights—a huge step toward taking over a system or deploying malware.

This article breaks down what CVE-2022-21908 is, how it can be exploited, includes code snippets demonstrating the vulnerability, and most importantly, how you can keep your systems secure.

What is CVE-2022-21908?

CVE-2022-21908 is an Elevation of Privilege (EoP) vulnerability in the Windows Installer, a core component in Windows used to install, update, and remove applications. The flaw arises from the way Windows Installer handles certain actions with insufficient checks, allowing a local attacker to execute code with elevated (SYSTEM) privileges.

Microsoft's Security Advisory:  
- CVE-2022-21908 | Windows Installer Elevation of Privilege Vulnerability

Affected Systems:  
All currently supported versions of Windows at the time of the disclosure (Windows 7 through Windows 11, and Server versions).

How Does the Exploit Work?

The root of the problem is that Windows Installer may not correctly check the permissions when rolling back installations or handling special service actions. Attackers can craft a malicious MSI (Windows Installer package) or exploit standard MSI behavior to trigger an elevation scenario.

Attack Scenario:

The installer requests operations that Windows Installer must perform as SYSTEM.

3. Through careful timing or manipulation, the attacker can get the installer to launch another process, write files, or modify objects as SYSTEM - granting them elevated rights.

Proof of Concept: Code Snippet

Below is a simplified pseudo-proof-of-concept that illustrates the general exploit technique. This isn’t a full working exploit but gives you an idea of how an attacker might approach the problem:

:: Windows Batch file to trigger the vulnerability
@echo off
echo Creating a malicious .msi file...
:: Craft a dummy MSI package
msiexec /i malicious.msi /qn

:: Attacker listens for the rollback (cancel the install quickly)
timeout /t 2
taskkill /im msiexec.exe

:: After the rollback, the installer might have executed parts as SYSTEM
echo Check if you now have SYSTEM privileges!
whoami

Quickly interrupts or manipulates the installer process (triggering a rollback).

- Takes advantage of elevated actions performed during the install/rollback to gain SYSTEM-level access.

> DISCLAIMER: This is for educational purposes only. Running exploits or malicious code on systems you do not own or have permission to test is illegal and unethical.

For more technical code and a real-world example, see this public writeup:  
- Windows Installer LPE: A Tale of Abuse

As a post-exploitation step once inside a network

It’s particularly dangerous given that Windows Installer is a trusted component and whitelisted by many endpoint protections.

How To Protect Your Systems

1. Install Security Updates  
The most important mitigation is to install Microsoft’s update from January 2022 (or later cumulative updates):

- Windows 10 / 11: Update via Windows Update

Windows Server: Apply the monthly Patch Tuesday update

2. Monitor Windows Installer Activity  
Watch for unexpected MSI executions, especially from user directories or temp folders.

3. Limit Local Privileges  
Do not operate with more privilege than necessary, and use security tools to restrict what MSI installers can do, especially from untrusted users.

4. Vulnerability Management  
Scan your environment to ensure systems are patched against CVE-2022-21908 and similar vulnerabilities.

References and Further Reading

- Official Microsoft Advisory: CVE-2022-21908
- NVD Entry for CVE-2022-21908
- Detailed Technical Analysis & PoC
- Microsoft Patch Tuesday Release Notes (January 2022)

Conclusion

CVE-2022-21908 is another reminder that local privilege escalation bugs in core Windows components are valuable weapons for attackers. By patching quickly and understanding the threat, you can stay ahead of possible intrusions.

Remember—always keep your operating systems and software up to date. And never underestimate what a "regular" user account can do with the right exploit!

Timeline

Published on: 01/11/2022 21:15:00 UTC
Last modified on: 05/23/2022 17:29:00 UTC