SetupHijack is an open-source research utility designed to exploit vulnerabilities in Windows installer and update mechanisms, specifically targeting race conditions and insecure file handling. This tool is particularly useful for red teaming exercises and security research, as it allows users to intercept and replace installer-dropped payloads before they execute with elevated privileges. By doing so, SetupHijack enables full SYSTEM or Administrator compromise without requiring elevated permissions to run.
Functionality and Operation
SetupHijack operates by continuously scanning specified directories—such as %TEMP%, %APPDATA%, and %USERPROFILE%\Downloads—for new or modified installer files with extensions like .exe, .msi, and .bat. When it detects a target file, the tool atomically replaces it with a user-supplied payload, optionally preserving the original file as a .bak backup. If the privileged process executes the substituted payload before performing integrity checks, the attacker’s code runs under elevated rights.
Unlike methods that rely on file system notifications, SetupHijack employs high-frequency polling to minimize the duration of the race window, thereby increasing the likelihood of successful exploitation.
Exploitation of Race Conditions
According to Hacker House, SetupHijack also subverts Authenticode code-signing and installer trust models by integrating a hacked signing process using SignToolEx.exe and SignToolExHook.dll. This integration allows payloads to bear valid certificates and Authenticode timestamps, increasing the probability of bypassing digital signature verifications employed by many installers and operating system protections.
Building and Execution
Building SetupHijack is straightforward with Microsoft’s build utilities. The default execution scans common drop locations using SetupHijack.exe. Flags allow fine-tuning of scan targets, and additional modes include:
– clean: Restores .bak backups across enabled directories.
– verbose: Logs all actions, including successful payload substitutions.
For remote escalation on multi-user systems, SetupHijack can run alongside tools like shadow.exe under a compromised user account, standing by until an administrative installer process is launched.
Security Implications
While SetupHijack is intended solely for authorized testing and research, it underscores a critical weakness in many Windows installer processes that trust files in world-writable directories. Organizations should enforce stricter file-drop locations, implement robust integrity checks, and leverage secure coding practices to prevent time-of-creation/time-of-use (TOCTOU) attacks. Additionally, signing installers with hardware-protected certificates and performing runtime signature validations can mitigate this class of exploitation.
As supply-chain and installer security become increasingly targeted, tools like SetupHijack serve as both a warning and an opportunity to harden deployment workflows against sophisticated race-condition exploits.
