Microsoft DirectX End-User Runtime Web Installer Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in the Microsoft DirectX End-User Runtime Web Installer version 9.29.1974.0. During installation, the installer operates with high integrity and allows low-privilege users to replace an executable file in a temporary folder. This replaced file is then executed with high integrity, potentially leading to unauthorized elevation of privileges. Exploitation of this vulnerability could allow a standard user to execute code with system-level rights by manipulating the installation process.

Impact

Exploitation of this vulnerability allows a low-privilege user to execute code with high integrity, which can be escalated to system level by registering and executing a service, creating a complete privilege escalation chain from standard user to system.

Reproduction

The vulnerability can be reproduced by downloading and running the Microsoft DirectX End-User Runtime Web Installer version 9.29.1974.0. During the installation process, a low-privilege user can replace the 'dxwsetup.exe' file in the temporary installation folder with a malicious executable. Once the installer completes the installation, it will execute the replaced 'dxwsetup.exe' file with high integrity privileges, allowing the execution of arbitrary code with elevated rights.