The Microsoft Windows MsiAdvertiseProduct function contains a race-condition vulnerability, which can allow an authentication attacker to elevate privileges to read protected files.
The Microsoft Windows MsiAdvertiseProduct function allows a Windows installer product to generate a script to advertise a product to Windows, which handles shortcut and registry information associated with an installed application. The MsiAdvertiseProduct contains a race condition while performing checks, which can allow an attacker to read an arbitrary file which would otherwise be protected with filesystem ACLs.
Exploit code for this vulnerability is publicly available.
By calling the MsiAdvertiseProduct function in a crafted way, an authenticated attacker may be able to read files that would otherwise be restricted through filesystem ACLs.
The CERT/CC is currently unaware of a practical solution to this problem.
This vulnerability was publicly disclosed by SandboxEscaper.
This document was written by Will Dormann.
|Date First Published:||2018-12-20|
|Date Last Updated:||2018-12-20 21:11 UTC|