Security researchers at Hacker House have released SetupHijack, a proof-of-concept tool that exploits race conditions and insecure file handling in Windows installers and updaters.
The utility demonstrates how attackers can hijack privileged setup processes to run malicious payloads with SYSTEM or Administrator rights.
Exploiting Race Conditions in Windows Installers
SetupHijack targets installers and updaters that drop files into world-writable locations such as %TEMP%, %APPDATA%, or the user’s Downloads folder.
Many installers write temporary executables, MSI packages, or batch scripts to these directories and then launch them with elevated privileges.
SetupHijack continuously polls these directories and, upon detecting a new or modified installer file, replaces it with an attacker-controlled payload before the installer executes integrity checks.
If the installer runs the swapped file, the payload executes with elevated rights, enabling full system compromise.
Installing and Building SetupHijack
Users can build SetupHijack on Windows using the provided Makefile and standard build tools. The build process involves:
- Defining the payload path in SetupHijack.cpp and compiling with nmake:
nmake PAYLOAD="C:Pathtopayload.exe"- Generating a signed MSI installer using a hacked code-signing process with SignToolEx.exe and SignToolExHook.dll.
- Running SetupHijack.exe in the background under a standard user account. No elevated privileges are required to launch the tool.
By default, SetupHijack scans %TEMP%, %APPDATA%Roaming, and %USERPROFILE%Downloads.
Flags such as -notemp, -noappdata, and -nodownloads allow narrow targeting. The clean option restores backups of replaced files.
Example Attack Flow
A typical attack using SetupHijack proceeds as follows:
- Build Payload: Compile a malicious payload and sign it using a valid code-signing certificate.
- Start SetupHijack: Launch SetupHijack.exe before or during the privileged installer run.
- Trigger Installer: Run the target installer or updater as Administrator.
- Hijack File Drop: When the installer drops files (e.g., install.msi or setup.exe) into %TEMP%, SetupHijack detects and instantly replaces them with the signed payload, saving the original as a .bak file.
- Payload Execution: The installer executes the replaced file with elevated privileges. The payload runs as SYSTEM or Administrator.
- Cleanup (optional): Use the clean flag to restore original installer files and remove traces.
Using SetupHijack, researchers successfully hijacked Zoom’s update process by infecting temporary executables in %AppData%.
Over a short period, the tool replaced multiple Zoom installer files, demonstrating how a threat actor could persist within an environment and steal credentials or deploy ransomware.
Conversely, certain applications like Visual Studio and Wireshark include robust hash and signature checks that prevent these race-condition attacks.
SetupHijack underscores the need for installers to implement atomic file operations, strict integrity checks, and limited use of world-writable directories.
System administrators should audit installation workflows, enforce least privilege, and consider monitoring for unauthorized file replacements.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
