Hi @ll, in <http://seclists.org/fulldisclosure/2013/Sep/132> I showed an elaborated way for privilege elevation using IExpress (and other self-extracting) installers containing *.MSI or *.MSP which works "in certain situations". Microsoft addressed this vulnerability with <https://technet.microsoft.com/library/security/ms14-049.aspx> In <http://seclists.org/fulldisclosure/2013/Oct/5> I showed an indirect way for privilege elevation using IExpress installers and "binary planting". But there's a direct way too: just call any IExpress installer (the Microsoft download center offers plenty of them) with a command line of your choice, for example CAPICOM-KB931906-v2102.exe /C:"%COMSPEC% /K Title PWNED!" Due to UACs installer detection the given command line is executed with full administrative privileges. stay tuned Stefan Kanthak PS: this attack vector can be (ab)used with WSUS(pect)! Using legitimate IExpress packages like CAPICOM-KB931906-v2102.exe, RvkRoots.exe (cf. <https://support.microsoft.com/en-us/kb/3050995>) or RootsUpd-KB931125-*.exe which are distributed per Windows Update has the advantage that the clients %SystemRoot%\WindowsUpdate.log and their %SystemRoot%\SoftwareDistribution\Download folder dont show telltale signs of 3rd party executables (as used/proposed by the authors of WSUSpect). JFTR: I *love* security fixes which are vulnerable themself.
