New Windows zero-day with public exploit lets you become an admin

The_King

Level 12
Thread author
Verified
Top poster
Well-known
Aug 2, 2020
533
A security researcher has publicly disclosed an exploit for a new Windows zero-day local privilege elevation vulnerability that gives admin privileges in Windows 10, Windows 11, and Windows Server.

BleepingComputer has tested the exploit and used it to open to command prompt with SYSTEM privileges from an account with only low-level 'Standard' privileges.

Using this vulnerability, threat actors with limited access to a compromised device can easily elevate their privileges to help spread laterally within the network.

The vulnerability affects all supported versions of Windows, including Windows 10, Windows 11, and Windows Server 2022.

Researcher releases bypass to patched vulnerability​

As part of the November 2021 Patch Tuesday, Microsoft fixed a 'Windows Installer Elevation of Privilege Vulnerability' vulnerability tracked as CVE-2021-41379.

This vulnerability was discovered by security researcher Abdelhamid Naceri, who found a bypass to the patch and a more powerful new zero-day privilege elevation vulnerability after examining Microsoft's fix.

Yesterday, Naceri published a working proof-of-concept exploit for the new zero-day on GitHub, explaining that it works on all supported versions of Windows.

"This variant was discovered during the analysis of CVE-2021-41379 patch. the bug was not fixed correctly, however, instead of dropping the bypass," explains Naceri in his writeup. "I have chosen to actually drop this variant as it is more powerful than the original one."

Furthermore, Naceri explained that while it is possible to configure group policies to prevent 'Standard' users from performing MSI installer operations, his zero-day bypasses this policy and will work anyway.

BleepingComputer tested Naceri's 'InstallerFileTakeOver' exploit, and it only took a few seconds to gain SYSTEM privileges from a test account with 'Standard' privileges, as demonstrated in the video below.
Video in Source Link
 

Gandalf_The_Grey

Level 64
Verified
Honorary Member
Top poster
Content Creator
Well-known
Apr 24, 2016
5,346
Video in Source Link
Microsofts reply at the end of the Bleeping Computer article:
“We are aware of the disclosure and will do what is necessary to keep our customers safe and protected. An attacker using the methods described must already have access and the ability to run code on a target victim's machine.” – a Microsoft spokesperson.
 

wat0114

Level 8
Verified
Well-known
Apr 5, 2021
363
It gains admin privilege without being authorized to do so. That's the difference.

Of course, I get what the end result is, but the point I'm trying to make is if one has decent security defenses in place, the exploit won't launch in the first place. This just looks like another over hyped run-of-the-mill security alert.
 

The_King

Level 12
Thread author
Verified
Top poster
Well-known
Aug 2, 2020
533
Of course, I get what the end result is, but the point I'm trying to make is if one has decent security defenses in place, the exploit won't launch in the first place. This just looks like another over hyped run-of-the-mill security alert.
I don't see what is stopping someone from going to an internet cafe. Running this malware of a usb, getting admin access then disabling any
security measures put in place. Installing a keylogger or somethings else and leaving.

Not really a over hyped security alert. There are many ways to hide malware like this from virus scanners. Once you have admin rights then all your security defenses are useless. like @Andy Ful said with admin rights everything is possible.

Combine this zero day with malware and get a standard users to run it will not be hard at all.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,244
It is the UAC bypass on SUA, so there is a real problem for any business network. Microsoft knows it and is going to fix it soon.
That is an advantage of using SUA compared to the default Admin account. When someone finds an exploit that uses the vulnerability of SUA, the exploit is usually fixed quickly.:)
If this would be a vulnerability related only to the default Admin account, then a similar vulnerability could wait for fixing a year or more.:(

Anyway, it is one of the most unimportant exploits for home users who normally update Windows. We will forget about it soon.
 
Last edited:

wat0114

Level 8
Verified
Well-known
Apr 5, 2021
363
I don't see what is stopping someone from going to an internet cafe. Running this malware of a usb, getting admin access then disabling any
security measures put in place. Installing a keylogger or somethings else and leaving.

Not really a over hyped security alert. There are many ways to hide malware like this from virus scanners. Once you have admin rights then all your security defenses are useless. like @Andy Ful said with admin rights everything is possible.

Combine this zero day with malware and get a standard users to run it will not be hard at all.

Assuming you mean a public kiosk? If so, I would never use one of these for anything personal whatsoever, including email, banking, credit card, SIN, drivers license...the list goes on. Maybe for browsing sports or news websites, not much else.

And that would depend on what is considered decent. Before it was released to industry to be added to the definition pool it would have been an issue; never was for CF, but still is for Cylance.

Agreed, and I realize I should have been more specific regarding "decent" security. When I watched the demo video, I immediately thought of SRP or anti-executables such as Comodo fw, the former which I've used buitlt-in to Windows and now using included in Hard_Configurator. There's also anti-exploit tools such as OSArmor.
 
Last edited:

wat0114

Level 8
Verified
Well-known
Apr 5, 2021
363
It is the UAC bypass on SUA, so there is a real problem for any business network.

But wouldn't any business that takes IT security seriously not depend on UAC to protect their environment from malicious activity, and instead utilize other, more advanced, likely 3rd-party, security practices to secure against these types of attacks? I know that my employer's IT team locks down our COE devices so thoroughly that I'd be shocked if anything malicious took a foothold and ran rampant thorough their network.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,244
But wouldn't any business that takes IT security seriously not depend on UAC to protect their environment ..
There are many businesses that do not take IT security so seriously. Furthermore, there are many public institutions that can be easily targeted.:(
I know that my employer's IT team locks down our COE devices so thoroughly that I'd be shocked if anything malicious took a foothold and ran rampant thorough their network.
They often do not lock down the computers of higher-up employees.:)
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,244
The original POC is compiled to take over the Microsoft Edge elevation service DACL and copy itself to the service location and execute this copy to gain elevated privileges. This would allow a potential attacker to replace any executable file on the system with an MSI file, and run code as an administrator. But, the malware can be compiled to take over any similar file. The core of the exploit is related to Windows Installer vulnerability.
 
Last edited:

wat0114

Level 8
Verified
Well-known
Apr 5, 2021
363
I grabbed a Github Test exploit from here:

https://github.com/klinix5/InstallerFileTakeOver/find/main

...and tried to run it. I was actually first warned by Defender, so I chose "Run anyway" and then OSArmor blocked it.

EDIT

I meant Windows Defender Smartscreen
 

Attachments

  • 11-26-2021.log
    544 bytes · Views: 89
Last edited:

bribon77

Level 35
Verified
Top poster
Well-known
Jul 6, 2017
2,415
Take, the link from, https: //github.com/klinix5/InstallerFileTakeOver/find/main.
And download the exe, and F Secure blocks it immediately.(y) Screenshot_2.png
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,244
I grabbed a Github Test exploit from here:

https://github.com/klinix5/InstallerFileTakeOver/find/main

...and tried to run it. I was actually first warned by Defender, so I chose "Run anyway" and then OSArmor blocked it.

EDIT

I meant Windows Defender Smartscreen
It seems that you have run pkg.msi file instead of the InstallerFileTakeOver.exe
 
  • Like
Reactions: Venustus
Top