Microsoft recently patched a Windows Installer Elevation of Privilege vulnerability tracked as CVE-2021-41379 in its November Patch Tuesday. As we are aware, the security researcher Abdelhamid Naceri discovered and reported this vulnerability. But surprisingly, recently he also found that the fix released by Microsoft can be bypassed and leveraged to achieve local privilege escalation. Cisco Talos stated that it has already detected malware samples that are actively attempting to take advantage of this newly discovered Zero-Day bug. The earlier patched vulnerability had the ability to delete the targeted files on a system but not gain any privileges to modify or view the file contents. But this Zero-Day flaw is considered to be more powerful compared to it, as this can be used to replace any executable in the system with an MSI file and can even allow attackers to run any code as an administrator.
About the Zero-Day vulnerability:
The Zero-Day flaw was found during the analysis of the patch for CVE-2021-41379. The researcher observed that the bug was not properly fixed and could be bypassed to gain elevated privileges of an administrator. When the attacker is able to successfully bypass the fix, any normal user account attacker will be able to elevate his privileges to become an administrator. When the researcher was able to successfully exploit the PoC over a fully patched system, he was able to overwrite the DACL (Discretionary Access Control List) for Microsoft Edge Elevation Service. Also, he could successfully replace any executable file on the system with an MSI file. As a result, it was possible for him to run any code on the system with administrative privileges. Although Microsoft has assigned a CVSS score of 5.5 and a temporal score of 4.8 mentioning severity as medium to the previously patched CVE, it is now known to be additionally abused after the release of the PoC by the researcher.
On November 22nd, Naceri published a Proof-of-Concept (PoC) in Github that contained an exe file named InstallerFileTakeOver.exe. According to him, this can be executed in any supported windows versions that are fully patched. This PoC overwrites the Microsoft Edge’s elevation service DACL and copies itself to the service location, then executes it to gain elevated privileges. It may not work in Windows Server 2016 and 2019 as these don’t have the elevation service installed in them. In the below image you can see the PoC is executed in a fully patched Windows 11 which would overwrite the access control list of the file “C:\Windows\system.ini” with the desired users having the administrative privileges. Further, it can replace any executable file on the system with an MSI file, allowing an attacker to run any code as an administrator.
Successful exploitation of this Zero-Day vulnerability allows an attacker to abuse the access gained to fully take over the compromised system, download any software, delete, modify or obtain any sensitive information stored in the machine.
This vulnerability affects every supported fully patched version of Microsoft Windows including November Patch Tuesday updates installed.
As of the publication of this blog, Microsoft has not released any patch for this vulnerability, and no other fix information is found. There is no known workaround available due to the complexity of this vulnerability as patching the binary would break Windows Installer. Microsoft is aware of the issue and is expected to patch the issue soon by releasing a security update.
We are tracking this issue for any updates and would religiously update the information once available.