Vulnerability Analysis

MSI Analyzer – Analyzing Windows Installer Files For Vulnerabilities

This Python script for Linux can analyze Microsoft Windows *.msi Installer files and point out potential vulnerabilites. It was developed by Michael Baer (@derbaer0) in the SEC Consult Vulnerability Lab.

Currently, it is mostly suited for a local privilege escalation also described in our blog post.

The script can also be used to get an overview of an installer and identify potential weaknesses.

Keep In Mind

  • This script is work in progress.
  • It is not perfect, but hopefully covers many installers correctly. Please create a github issue in case you encounter one with a wrong verdict.
    • false-negatives (if the console application is only indirectly started from the installer)
    • “false-positives” (same actions are executed conditionally. The script shows the condition but does not evaluate it)
  • This script is NOT secured against malicious installers.

Installation

You need some python packages. sqlite3, termcolor, maybe more. Otherwise, no installation is required. Just run the script from the main folder.

Install the (apt) package msitools. It contains msiinfo and msiextract that are needed as well.

sudo apt install msitools

How To Use

  • python msiscan.py <Installer>
  • Or if you want to check a whole directory: ./runall.sh <directory>

Now scan the result for unusual colors (red) for quick wins. Advise: If there is something red, repair it with ProcMon and do the manual approach.

There will be errors. Just ignore them. The analysis tries to continue if possible.

If you see a red line in the beginning Repairmode disabled ..., you will not be able to trigger the repair function.

Now, a few explanations to understand the output if you want to invest some time in deeper analysis:

  • Rating My guess, how likely it will be exploitable. This also defines the color.
  • Difficulty My guess on how much effort it takes to find a vulnerability. E.g., HARD = Binary Reversing.
  • Green line “Action only invoked upon”: This action is only invoked when the condition is true. E.g. “Not Installed” is only executed, when the software is not yet installed = during the installation, but not the repair. You are out of luck unless you can force the installation to take place. (Note: It feels like sometimes these conditions do not match reality somehow. But I could not figure this out yet).
  • Orange: There is script code. If you have some time, look there for fishy actions. Or invocation of binaries (CreateObject ("WScript.Shell")).
  • Blue: Method from the WiX toolset. Probably safe (but should be differentiated and investigated further).
  • Cyan: Most common color. Normally they invoke GUI programs or DLL functions. No quick win is expected here.
Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Understanding the Model Context Protocol (MCP) and How It Works

Introduction to the Model Context Protocol (MCP) The Model Context Protocol (MCP) is an open…

6 days ago

The file Command – Quickly Identify File Contents in Linux

While file extensions in Linux are optional and often misleading, the file command helps decode what a…

6 days ago

How to Use the touch Command in Linux

The touch command is one of the quickest ways to create new empty files or update timestamps…

6 days ago

How to Search Files and Folders in Linux Using the find Command

Handling large numbers of files is routine for Linux users, and that’s where the find command shines.…

6 days ago

How to Move and Rename Files in Linux with the mv Command

Managing files and directories is foundational for Linux workflows, and the mv (“move”) command makes it easy…

6 days ago

How to Create Directories in Linux with the mkdir Command

Creating directories is one of the earliest skills you'll use on a Linux system. The mkdir (make…

6 days ago