I went through this again, trying to figure out what exactly is going on with the windows installer. It seems to me this is an exploit of the windows installer as much as an exploit of an application. The details of how the windows installer works gave me a few insights. The specific directory they mention renaming, I could not find any useful references to it. I know it’s common for apps to check for unfinished installs, and if so, then do logic on this and that. It appears that’s what Cisco does, and some how, the program is able to hijack the windows installer service from that point. Meaning there is a exploit done on the windows installer.
And does this exploit on the windows installer service still exist? Seems to me this exploit tricks the windows installer service to behave these commands and do as it pleases, which it really probably should not be allowed to do? You have a low trusted app which ends up escalating the privilege to a highest level, in cooperations with an app that checks for existing installations that are not finished.
Copyright right? 2024 Rod Deluhery
crypto_voyage 