SandboxEscaper
@SandboxBear
C:\config.msi, if created by windows installer, a reg key is made that is used as a security check. If you prevent that reg key from being deleted at cleanup and create that folder as user, you got an LPE. No junctions needed to abuse config.msi/rollback scripts btw.
11:58 AM · Dec 22, 2020·Twitter for Android
10
 Retweets
48
 Likes
SandboxEscaper
@SandboxBear
·
1h
Replying to 
@SandboxBear
I couldnt convince folks that this is a security issue. So whatever.
⛧ɉªɳ ҎʘΰⱠᶊᶓא⛧
@Jan0fficial
·
1h
Replying to 
@SandboxBear
So if you pack malware as .msi installer and spoof creator.. you could probably do all kind of crazy shit
SandboxEscaper
@SandboxBear
·
1h
No, this is about hijacking rollback scripts. Run the /fa (repair flag) on installers in c:/windows/installer and check procmon. You will see config.msi. You can take control of this folder and provide fake rollback scripts, doing malicious actions.