Hi @ll,

<https://www.microsoft.com/en-us/software-download/windows11>
offers the "Windows 11 Installation Assistant" to unsuspecting users.

The link <https://go.microsoft.com/fwlink/?linkid=2171764>
underneath the first [Download Now] button forwards to
<https://download.microsoft.com/download/3/a/9/3a9e2fe1-96e7-4514-8744-f3a9731f91c7/Windows11InstallationAssistant.exe>

| C:\Users\Stefan\Downloads>curl.exe -q -I -L "https://go.microsoft.com/fwlink/?linkid=2171764";
| HTTP/1.1 302 Moved Temporarily
| Content-Length: 0
| Location: 
https://download.microsoft.com/download/3/a/9/3a9e2fe1-96e7-4514-8744-f3a9731f91c7/Windows11InstallationAssistant.exe
...
| HTTP/1.1 200 OK
| Content-Length: 4245056
| Content-Type: application/octet-stream
| Content-MD5: CxHl1wKGL9HpY/45rdPqgg==
| Last-Modified: Mon, 04 Oct 2021 21:14:30 GMT

According to this, Windows11InstallationAssistant.exe is quite new.
BUT:

| C:\Users\Stefan\Downloads>link.exe /dump /dependents /headers /loadconfig Windows11InstallationAssistant.exe
...
| OPTIONAL HEADER VALUES
|              10B magic # (PE32)
|            14.20 linker version

OUCH: the executable was built with an ANCIENT software development kit!

JFTR: the Windows 11 Media Creation Tool
      
<https://software-download.microsoft.com/download/pr/888969d5-f34g-4e03-ac9d-1f9786c69161/MediaCreationToolW11.exe>
      offered on the same web page shows "14.28 linker version",
      i.e. a current SDK!

|  Section contains the following load config:
|
|            000000AC size
...
|                0000 Dependent Load Flags

OUCH: the unexperienced junior programmers who built the executable
      exercise "vulnerability at large" instead of "defense in depth"!

See <https://docs.microsoft.com/en-us/cpp/build/reference/dependentloadflag>
plus <https://skanthak.homepage.t-online.de/detour.html>

JFTR: the Windows 11 Media Creation Tool offered on the same web page
      shows "0800 Dependent Load Flags", i.e. restricts loading of
      DLLs to Windows' system directory!

|  Image has the following dependencies:
|
|    ADVAPI32.dll
|    KERNEL32.dll
|    USER32.dll
|    msvcrt.dll
|    ole32.dll
|    RPCRT4.dll
|    SHELL32.dll
|    SHLWAPI.dll
|    Cabinet.dll
|    VERSION.dll
|    ntdll.dll
|    PSAPI.DLL
|    bcrypt.dll

OUCH: the executable depends on a bunch of "unknown" DLLs which the
      NT module loader will fetch from the application directory,
      typically the user's "Downloads" folder, instead from Windows'
      system directory!

See <https://capec.mitre.org/data/definitions/471.html>,
<https://cwe.mitre.org/data/definitions/426.html>,
<https://cwe.mitre.org/data/definitions/427.html>,
<https://msdn.microsoft.com/en-us/library/ms682586.aspx> and
<https://blogs.technet.microsoft.com/srd/2014/05/13/load-library-safely/>

|    <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
|      <security>
|         <requestedPrivileges>
|            <requestedExecutionLevel
|                level="requireAdministrator"

OUCH: the executable requires administrator privileges, i.e. the
      NT module loader will execute the dependent DLLs DllMain()
      entry points with administrative privileges before it calls
      the executables WinMain() entry point.


Demonstration:
~~~~~~~~~~~~~~

1. Fetch <https://skanthak.homepage.t-online.de/download/FORWARDX.CAB>
   (see <https://skanthak.homepage.t-online.de/minesweeper.html>
   for build instructions)

2. Extract the contents of the directory "10\i386" from within
   FORWARDX.CAB to your "Downloads" folder.

3. Visit <https://www.microsoft.com/en-us/software-download/windows11>,
   then fetch the "Windows 11 Installation Assistant" and save it
   in your "Downloads" folder.

4. Start the downloaded Windows11InstallationAssistant.exe per
   double-click, answer the UAC prompt and admire the dialog boxes
   displayed from the following DLLs loaded from the "Downloads"
   folder:
      bcrypt.dll
      PROPSYS.dll   (loaded by SHELL32.dll, UNSAFE!)
      CFGMGR32.dll  (loaded by windows.storage.dll, UNSAFE!)
      edputil.dll
      VAULTCLI.dll
      urlmon.dll
      iertutil.dll
      srvcli.dll
      netutils.dll
      
GAME OVER!

stay tuned, and far away from such vulnerable crap
Stefan Kanthak