Windows MSI “Installer service” Elevation of Privilege (Msi Docs)
That was a fun bug and unexpected! MSRC Advisory
Here’s how I managed to exploit “Windows Installer service” through a custom MSI package.
Weaponized a race condition to get DACL and file content overwrite.
Sorry :-) I’m too lazy to write again about it so I’m going to embed the report I sent to MSRC - or if you have problem visualizing it then you can download it from here
Link to the PoC (GitHub)
Enjoy the reading.