New Windows zero-day with public exploit lets you become an admin

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,605
I tried this exploit on my computer (with Edge + Defender + SWH), but it was very hard:
  1. The download was blocked by Edge and I had to use "keep anyway" 3 times until Edge allowed it.
  2. The file was detected by Defender and when allowed, the execution was blocked by SmartScreen.
  3. Next, I tried another attack vector and downloaded the sample in the ZIP archive. After opening the downloaded file from Edge the Explorer window was displayed, so I clicked the InstallerFileTakeOver to execute the exploit. The execution was blocked by SmartScreen and next by SRP in the user Temp folder (where the archive was unpacked).
  4. Finally, I manually unpacked the ZIP archive and clicked on InstallerFileTakeOver executable. It was blocked by SmartScreen. In this case, the file was blocked thanks to the Windows built-in unpacker which preserves the MOTW (file could be executed if I would use 7-ZIP).
The author noted that his exploit can bypass the Windows policy that restricts MSI Installer. So, I changed the SRP setup to allow EXE files but block MSI files and checked if the exploit can bypass SRP restrictions for MSI Installer. It did not. After executing InstallerFileTakeOver, it dropped the MSI file to the random subfolder in the user TEMP folder. The execution of this file was blocked by SRP and the exploit failed.
 
Last edited:

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
621
It seems that you have run pkg.msi file instead of the InstallerFileTakeOver.exe
It seems you are right :D I saw "Test" in the msi file name and jumped the gun.

new results with correct file. All kinds of barriers prevented it. I had to disable Defender's Real time scanning so that H_C SRP rules would block it.:


takeover02.png

takeover03.png


takeover.png


takeover04.png
 

South Park

Level 9
Verified
Well-known
Jun 23, 2018
441
I downloaded the test .exe in Firefox, which was instantly blocked by Windows Defender. However, WD couldn't finish cleanup and kept asking me to quick scan and then quarantine or delete the file manually (seven times before I gave up), even after a restart, effectively causing a denial of service. This has happened to me before with test files, including ones endorsed by Microsoft. I ultimately resolved the issue by replacing WD with another product I have a license for.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,605
I downloaded the test .exe in Firefox, which was instantly blocked by Windows Defender. However, WD couldn't finish cleanup and kept asking me to quick scan and then quarantine or delete the file manually (seven times before I gave up), even after a restart, effectively causing a denial of service. This has happened to me before with test files, including ones endorsed by Microsoft. I ultimately resolved the issue by replacing WD with another product I have a license for.
When doing the same with Edge and bypassing the Edge alerts, the file InstallerFileTakeOver.exe was downloaded to the Downloads folder as "Unconfirmed 257482.crdownload". The Defender alerted that the file InstallerFileTakeOver.exe was blocked. I looked at the threat history and chose to delete the file. But, "Unconfirmed 257482.crdownload" was not deleted. I used right-click option to scan the file by Defender and the file was rescanned and finally removed.
After some time I did the download the second time and the result was different. The file was blocked by Defender but Defender removed it automatically.

I think that such leftovers as "Unconfirmed 257482.crdownload" are probably automatically removed only after the malware signature is added to the offline database.

Edit.
In the case of Firefox the file is downloaded as InstallerFileTakeOver.exe and the file is locked by Defender (cannot be executed).
 
Last edited:

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
621
Edit.
In the case of Firefox the file is downloaded as InstallerFileTakeOver.exe and the file is locked by Defender (cannot be executed).
I see varying, inconsistent actions sometimes, although in the end, and most importantly, Defender and/or Smartscreen block/warns of the download. I tried the download with Firefox minutes ago, and Windows Security issued two consecutive warnings, and then when I tried to execute it from the Downloads folder, Smartscreen warned, and upon ignoring the warning (choosing Run anyway), a pop-up alerted the file was missing, so Defender deleted it either before I could execute it or when I executed it.

EDIT

Interesting. I tried the download a second time just for kicks and giggles, and I noticed Windows security doesn't warn until I actually opened the Downloads folder (I waited about a minute after download completed), so I guess Defender scans upon file or file location access? After the warning, it also deleted the file.

warning.png
 
Last edited:

silversurfer

Super Moderator
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,264

0Patch has a patch for Windows "InstallerFileTakeOver" 0-day vulnerability, Microsoft has none​

There is a 0-day vulnerability for Windows, called InstallerFileTakeOver, which Microsoft has yet to address. The vulnerability was discovered by Abdelhamid Naceri, a security researcher, who discovered two other 0-day vulnerabilities in Windows this year already.

We mentioned the vulnerability in late November 2021 already here on this site. The issue was unpatched back then and Microsoft has yet to release a security update that addresses the vulnerability.

Micro-patching company 0Patch released a free patch for the issue this week that is available to all users. The micropatch that 0Patch released is available for the following operating systems:
  • Windows 10 version 1709 to 21H1.
  • Windows 7 ESU
  • Windows Server 2012, 2012 R2, 2016, 2019.
  • Windows Server 2008 R2 ESU
0Patch notes that non-ESU Windows 7 and Windows Server 2012 installations are not affected by the vulnerability. Windows Server 2022 and Windows 11 are likely also affected, but not officially supported by the company yet (hence no patch). Windows 8.1 was not analyzed because of low interest in the particular version of Windows.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top