A new Windows zero-day local privilege escalation vulnerability exploit has been disclosed that can grant administrative privileges in Windows 10, Windows 11, and Windows Server.
https://github.com/klinix5/ InstallerFileTakeOver
This proof of concept overrides the DACL of the Microsoft Edge elevation service, copies itself to the service location and executes it, gaining elevation privileges.
We have tested this exploit and it appears that it was possible to open a command prompt with SYSTEM privileges from an account with only low-level “Standard” privileges.
This vulnerability allows threat groups with limited access to compromised devices to easily elevate their privileges and help spread laterally in the network.
This vulnerability affects all supported versions of Windows, including Windows 10, Windows 11, and Windows Server 2022.
Researchers find patched vulnerabilities can be bypassed
For Patch Tuesday, November 2021, Microsoft fixed the Windows Installer Elevation of Privilege Vulnerability, tracked as CVE-2021-41379.
https:// msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41379
This vulnerability was discovered by security researcher Abdelhamid Naceri, who, after validating Microsoft’s fix, discovered a bypass to the patch and a new, more powerful zero-day privilege escalation vulnerability.
Naceri has posted the POC for this new zero-day vulnerability on GitHub, explaining that it works on all supported versions of Windows.
This bug was not fixed correctly. Instead of removing the bypass, we removed this bug
This variant is more powerful than the original one, so we decided to actually remove it.
Naceri further explained that it is possible to set a group policy to prevent “Standard” users from manipulating the MSI installer, but this zero-day bypasses this policy and works anyway.
We tested Naceri’s “InstallerFileTakeOver” exploit and it took only a few seconds to gain SYSTEM privileges from a test account with “Standard” privileges, as shown in the video below.
This test was performed with a fully up-to-date Windows 10 21H1 build 19043.1348 installed.
When we asked Naceri why he disclosed the zero-day vulnerability, he said he did so out of frustration with the diminishing rewards of Microsoft’s bug bounty program.
Microsoft’s bounties have been trashed since April 2020. I really wouldn’t have done that if MSFT hadn’t decided to downgrade the bounties
Naceri is not the only researcher concerned about the reduction in bug bounties.
As is often the case with zero-days, Microsoft is likely to fix this vulnerability in a future Patch Tuesday update.
However, Naceri warns that trying to fix the vulnerability by patching the binary is not recommended, as it may break the installer.
The current best workaround is to wait for Microsoft to release a security patch due to the complexity of this vulnerability
If you try to patch the binary directly, the If you try to patch the binary directly, it will break the Windows installer. So it’s better to wait and see how Microsoft screws up the patch again.
Comments