This is a technical writeup describing a race condition vulnerability in the Windows Installer (MSI) that allows capturing rollback scripts to achieve privilege escalation. The author details the timing window for exploiting the race condition and provides steps for reproduction, including the use of a custom tool (polarbear.exe) and ProcMon logs.
Classification
Writeup 90%
Target:
Windows Installer (MSI)
No auth needed
Prerequisites:
Access to an auto-elevating MSI installer in C:\Windows\Installer · Custom tool (polarbear.exe) and associated files (test.rbf, test.rbs) · Precise timing to win the race condition