Once a software is successfully installed on the system, one or more trusted MSI files will appear in the “C:\Windows\Installer” folder and may allow a low privilege user to perform “repair” and/or “modify” actions as the “NT Authority\System” user without requiring UAC. By using the “msiexec.exe” program with the “/forcerestart” flag, if an attacker successfully performs the “repair” action, the target system will be restarted.

Note: Several MSIs may require Admin authentication even for the repair procedure, but these are usually the exception, not the norm (e.g. Vmware Tools).

Restarting a Windows server as a low privilege user may be useful when:

• Performing local privilege escalation attacks that may crash a service (e.g. buffer overflow attacks), in order to forcefully restart the respective service in case it becomes unresponsive
• Modifying/Writing a configuration file, DLL and/or executable that requires a service/the system to be restarted in order for the changes to take effect (e.g. DLL Search order attack)
• Potential DoS via contionusly restarting the target

Neither Microsoft nor I consider this to be a high impact vulnerability by itself, so, no CVE was needed.

With that being said, I find the vulnerability to be rather interesting and hope it is useful to somebody that stumbles upon this repo.

This vulnerability requires:

• Local access on the target system
• One or more usable MSIs to have been installed on the target

More details and the exploitation process can be found in this PDF.

• This vulnerability was initially reported to https://msrc.microsoft.com/ on 18-May-2022
• Vulnerability was considered a non-issue
• Retested the vulnerability on 23-Jan-2024 and noticed that the vulnerability still works on the newest versions of Windows 11 (OS Build: 22621.3007)
• Publically disclosed the vulnerability on 03-Feb-2024