{"vuid":"VU#228297","idnumber":"228297","name":"Microsoft Windows MsiAdvertiseProduct function vulnerable to privilege escalation via race condition","keywords":[""],"overview":"The Microsoft Windows MsiAdvertiseProduct function contains a race-condition vulnerability, which can allow an authentication attacker to elevate privileges to read protected files.","clean_desc":"The Microsoft Windows MsiAdvertiseProduct function allows a Windows installer product to generate a script to advertise a product to Windows,which handles shortcut and registry information associated with an installed application. The MsiAdvertiseProduct contains a race condition while performing checks,which can allow an attacker to read an arbitrary file which would otherwise be protected with filesystem ACLs. Exploit code for this vulnerability is publicly available.","impact":"By calling the MsiAdvertiseProduct function in a crafted way, an authenticated attacker may be able to read files that would otherwise be restricted through filesystem ACLs.","resolution":"The CERT/CC is currently unaware of a practical solution to this problem.","workarounds":"","sysaffected":"","thanks":"This vulnerability was publicly disclosed by SandboxEscaper.","author":"This document was written by Will Dormann.","public":["https://technet.microsoft.com/fr-fr/aa370056(v=vs.71)","https://www.bleepingcomputer.com/news/security/windows-zero-day-poc-lets-you-read-any-file-with-system-level-access/"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2018-12-20T20:30:16Z","publicdate":"2018-12-19T00:00:00Z","datefirstpublished":"2018-12-20T20:50:49Z","dateupdated":"2018-12-20T21:11:11Z","revision":11,"vrda_d1_directreport":"1","vrda_d1_population":"4","vrda_d1_impact":"2","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"L","cvss_accesscomplexity":"L","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"N","cvss_availabilityimpact":"N","cvss_exploitablity":null,"cvss_remediationlevel":"U","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"H","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"4.6","cvss_basevector":"AV:L/AC:L/Au:S/C:C/I:N/A:N","cvss_temporalscore":"4.4","cvss_environmentalscore":"4.3333685472","cvss_environmentalvector":"CDP:ND/TD:H/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}