- Aug 2, 2020
- 549
Video in Source Link
New Windows zero-day with public exploit lets you become an admin
- Thread starter The_King
- Start date
- Apr 24, 2016
- 7,256
- Apr 5, 2021
- 620
It just looks like a malicious executable launched from user space. If so, what is the big deal? What I mean is, how is this any different from other exploits using this method?
- Jul 3, 2015
- 8,153
It gains admin privilege without being authorized to do so. That's the difference.
- Apr 5, 2021
- 620
Of course, I get what the end result is, but the point I'm trying to make is if one has decent security defenses in place, the exploit won't launch in the first place. This just looks like another over hyped run-of-the-mill security alert.
- Jul 3, 2015
- 8,153
- Apr 13, 2013
- 3,224
And that would depend on what is considered decent. Before it was released to industry to be added to the definition pool it would have been an issue; never was for CF, but still is for Cylance.
- Aug 2, 2020
- 549
I don't see what is stopping someone from going to an internet cafe. Running this malware of a usb, getting admin access then disabling any
security measures put in place. Installing a keylogger or somethings else and leaving.
Not really a over hyped security alert. There are many ways to hide malware like this from virus scanners. Once you have admin rights then all your security defenses are useless. like @Andy Ful said with admin rights everything is possible.
Combine this zero day with malware and get a standard users to run it will not be hard at all.
- Dec 23, 2014
- 8,510
It is the UAC bypass on SUA, so there is a real problem for any business network. Microsoft knows it and is going to fix it soon.
That is an advantage of using SUA compared to the default Admin account. When someone finds an exploit that uses the vulnerability of SUA, the exploit is usually fixed quickly.
If this would be a vulnerability related only to the default Admin account, then a similar vulnerability could wait for fixing a year or more.
Anyway, it is one of the most unimportant exploits for home users who normally update Windows. We will forget about it soon.
That is an advantage of using SUA compared to the default Admin account. When someone finds an exploit that uses the vulnerability of SUA, the exploit is usually fixed quickly.
If this would be a vulnerability related only to the default Admin account, then a similar vulnerability could wait for fixing a year or more.
Anyway, it is one of the most unimportant exploits for home users who normally update Windows. We will forget about it soon.
Last edited:
- Apr 5, 2021
- 620
Assuming you mean a public kiosk? If so, I would never use one of these for anything personal whatsoever, including email, banking, credit card, SIN, drivers license...the list goes on. Maybe for browsing sports or news websites, not much else.
Agreed, and I realize I should have been more specific regarding "decent" security. When I watched the demo video, I immediately thought of SRP or anti-executables such as Comodo fw, the former which I've used buitlt-in to Windows and now using included in Hard_Configurator. There's also anti-exploit tools such as OSArmor.
Last edited:
- Apr 5, 2021
- 620
But wouldn't any business that takes IT security seriously not depend on UAC to protect their environment from malicious activity, and instead utilize other, more advanced, likely 3rd-party, security practices to secure against these types of attacks? I know that my employer's IT team locks down our COE devices so thoroughly that I'd be shocked if anything malicious took a foothold and ran rampant thorough their network.
- Dec 23, 2014
- 8,510
There are many businesses that do not take IT security so seriously. Furthermore, there are many public institutions that can be easily targeted.
They often do not lock down the computers of higher-up employees.
- Aug 23, 2012
- 293
Looks like the PoC exploits Microsoft Edge's Elevation Service to elevate the payload as SYSTEM (local privilege escalation).
- Dec 23, 2014
- 8,510
The original POC is compiled to take over the Microsoft Edge elevation service DACL and copy itself to the service location and execute this copy to gain elevated privileges. This would allow a potential attacker to replace any executable file on the system with an MSI file, and run code as an administrator. But, the malware can be compiled to take over any similar file. The core of the exploit is related to Windows Installer vulnerability.
Last edited:
- Apr 5, 2021
- 620
I grabbed a Github Test exploit from here:
https://github.com/klinix5/InstallerFileTakeOver/find/main
...and tried to run it. I was actually first warned by Defender, so I chose "Run anyway" and then OSArmor blocked it.
EDIT
I meant Windows Defender Smartscreen
https://github.com/klinix5/InstallerFileTakeOver/find/main
...and tried to run it. I was actually first warned by Defender, so I chose "Run anyway" and then OSArmor blocked it.
EDIT
I meant Windows Defender Smartscreen
Last edited:
- Aug 2, 2020
- 549
VT detection is only 34/67
Avira , F-Secure and Malwarebytes still don't detect it, any reason for this @Andy Ful
Avira , F-Secure and Malwarebytes still don't detect it, any reason for this @Andy Ful
- Dec 23, 2014
- 8,510
It is a POC so the sample is not really dangerous. It will be probably added soon.VT detection is only 34/67
Avira , F-Secure and Malwarebytes still don't detect it, any reason for this @Andy Ful
- Jul 6, 2017
- 2,392
Take, the link from, https: //github.com/klinix5/InstallerFileTakeOver/find/main.
And download the exe, and F Secure blocks it immediately.
And download the exe, and F Secure blocks it immediately.
- Aug 2, 2020
- 549
This is probably the difference between online and offline protection.Take, the link from, https: //github.com/klinix5/InstallerFileTakeOver/find/main.
And download the exe, and F Secure blocks it immediately.
Most likely, Avira and Malwarebytes online protection would also block it.
- Dec 23, 2014
- 8,510
It seems that you have run pkg.msi file instead of the InstallerFileTakeOver.exe
Similar threads
