The bug is in “MsiAdvertiseProduct”
Calling this function will result in a file copy by the installer service.
This will copy an arbitrary file that we can control with the first parameter into c:\windows\installer … a check gets done while impersonating, but using junctions there is still a TOCTOU .. meaning we can get it to copy any file as SYSTEM, and the destination file will always be readable. This results an in arbitrary file read vulnerability.
Poc/bugDescription/sorce code
1.5к btc only )))
Calling this function will result in a file copy by the installer service.
This will copy an arbitrary file that we can control with the first parameter into c:\windows\installer … a check gets done while impersonating, but using junctions there is still a TOCTOU .. meaning we can get it to copy any file as SYSTEM, and the destination file will always be readable. This results an in arbitrary file read vulnerability.
Poc/bugDescription/sorce code
1.5к btc only )))
