Windows MSI “Installer service” Elevation of Privilege (Msi Docs)

That was a fun bug and unexpected! MSRC Advisory

Here’s how I managed to exploit “Windows Installer service” through a custom MSI package.
Weaponized a race condition to get DACL and file content overwrite.

Sorry :-) I’m too lazy to write again about it so I’m going to embed the report I sent to MSRC - or if you have problem visualizing it then you can download it from here

Link to the PoC (GitHub)

Enjoy the reading.

Written on February 11, 2020