config.msi, if bearsrule

1.  
2. SandboxEscaper
3. @SandboxBear
4. C:\config.msi, if created by windows installer, a reg key is made that is used as a security check. If you prevent that reg key from being deleted at cleanup and create that folder as user, you got an LPE. No junctions needed to abuse config.msi/rollback scripts btw.
5. 11:58 AM · Dec 22, 2020·Twitter for Android
6. 10
7. Retweets
8. 48
9. Likes
10. SandboxEscaper
11. @SandboxBear
12. ·
13. 1h
14. Replying to
15. @SandboxBear
16. I couldnt convince folks that this is a security issue. So whatever.
17. ⛧ɉªɳ ҎʘΰⱠᶊᶓא⛧
18. @Jan0fficial
19. ·
20. 1h
21. Replying to
22. @SandboxBear
23. So if you pack malware as .msi installer and spoof creator.. you could probably do all kind of crazy shit
24. SandboxEscaper
25. @SandboxBear
26. ·
27. 1h
28. No, this is about hijacking rollback scripts. Run the /fa (repair flag) on installers in c:/windows/installer and check procmon. You will see config.msi. You can take control of this folder and provide fake rollback scripts, doing malicious actions.