A New Microsoft Windows Installer Zero-day Is Exploited
Malicious Actors Could Use a Proof-of-concept Exploit Targeting a New Microsoft Windows Installer Zero-day.
Abdelhamid Naceri, a security researcher, made the zero-day in question public. He identified the flaw through an examination of the CVE-2021-41379 fix. It appears that the problem was not properly repaired.
I have also made sure that the proof of concept is extremely reliable and doesn’t require anything, so it works in every attempt. The proof of concept overwrite Microsoft Edge elevation service DACL and copy itself to the service location and execute it to gain elevated privileges.
While this technique may not work on every installation, because windows installations such as server 2016 and 2019 may not have the elevation service. I deliberately left the code which take over file open, so any file specified in the first argument will be taken over with the condition that SYSTEM account must have access to it and the file mustn’t be in use. So you can elevate your privileges yourself.
The best workaround available at the time of writing this is to wait Microsoft to release a security patch, due to the complexity of this vulnerability. Any attempt to patch the binary directly will break windows installer. So you better wait and see how Microsoft will screw the patch again.
Final note, while I was working on CVE-2021-41379 patch bypass. I was successfuly able to product 2 msi packages, each of them trigger a unique behaviour in windows installer service. One of them is the bypass of CVE-2021-41379 and this one. I decided to actually not drop the second until Microsoft patch this one.
So Be ready !
The vulnerability is a local privilege escalation bug discovered as a workaround for a patch Microsoft provided during Patch Tuesday in November 2021 to solve CVE-2021-41379.
Naceri released a successful proof-of-concept attack for this new zero-day on Sunday, claiming that it works on all supported Windows versions.
This bypass grants attackers SYSTEM rights on up-to-date systems running the latest Windows versions, including Windows 10, Windows 11, and Windows Server 2022, if properly exploited.
SYSTEM privileges are the highest level of user rights granted to a Windows user, allowing them to execute any operating system command.
The journalists at BleepingComputer were the ones that got in touch with a Microsoft spokesperson:
We are aware of the disclosure and will do what is necessary to keep our customers safe and protected. An attacker using the methods described must already have access and the ability to run code on a target victim’s machine.