Overview
The Microsoft Windows MsiAdvertiseProduct function contains a race-condition vulnerability, which can allow an authentication attacker to elevate privileges to read protected files.
Description
The Microsoft Windows MsiAdvertiseProduct function allows a Windows installer product to generate a script to advertise a product to Windows, which handles shortcut and registry information associated with an installed application. The MsiAdvertiseProduct contains a race condition while performing checks, which can allow an attacker to read an arbitrary file which would otherwise be protected with filesystem ACLs.
Exploit code for this vulnerability is publicly available.
Impact
By calling the MsiAdvertiseProduct function in a crafted way, an authenticated attacker may be able to read files that would otherwise be restricted through filesystem ACLs.
Solution
The CERT/CC is currently unaware of a practical solution to this problem.
CVSS Metrics
| Group | Score | Vector |
| Base | 4.6 | AV:L/AC:L/Au:S/C:C/I:N/A:N |
| Temporal | 4.4 | E:F/RL:U/RC:C |
| Environmental | 4.3 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
References
https://technet.microsoft.com/fr-fr/aa370056(v=vs.71)
https://www.bleepingcomputer.com/news/security/windows-zero-day-poc-lets-you-read-any-file-with-system-level-access/
Credit
This vulnerability was publicly disclosed by SandboxEscaper.
Other Information
CVE IDs: None
Date Public: 2018-12-19
Date First Published: 2018-12-20
Date Last Updated: 2018-12-20 21:11 UTC
Document Revision: 11