The day has a ‘y’ in it, so it must be time for another zero day to drop for a Microsoft product. In this case, a local privilege-elevation vulnerability to gain control of fully patched Windows 10, 11, and Server systems up to the 2022 build.
Dubbed InstallerFileTakeOver by its author Abdelhamid Naceri, the proof-of-concept code was dropped onto the Microsoft-owned GitHub and, based on our testing, does indeed seem to work. We were able to fire up a shell running with SYSTEM privileges from a lowly standard user account.
To be clear, one does need to be logged into a Windows box to elevate one’s privileges, and it looks like Edge also needs to be installed – which is hard to avoid in most modern Windows installations these days. All told, the proof of concept works depressingly well. No patches are available for this particular security hole.
CERT/CC vulnerability guru Will Dormann confirmed the bad news in a tweet:
Yeah, this LPE indeed works fine on a fully-patched Windows 11 system. https://t.co/7v0oXSZrnM pic.twitter.com/kvvISKabeG
— Will Dormann (@wdormann) November 22, 2021
Naceri discovered the security hole while looking into Microsoft’s fix for CVE-2021-41379, a vulnerability he had disclosed to the Windows giant previously. “The bug,” he said, “was not fixed correctly.”
That’s something of a theme for Microsoft of late, as anyone who suffered from PrintNightmare and its siblings will attest.
“While group policy by default doesn’t allow standard users to do any MSI operation,” Naceri said, “The administrative install feature thing seems to be completely bypassing group policy.”
It’s all a bit messy, and other researchers weighed in, confirming the issue as well as upending the scorn bucket over Microsoft and its attempt at patching the problem.
Can confirm this works, local priv esc. Tested on Windows 10 20H2 and Windows 11.
The prior patch MS issued didn’t fix the issue properly. https://t.co/OEdmtlMZvY
— Kevin Beaumont (@GossiTheDog) November 22, 2021
As for the original issue, CVE-2021-41379, the vulnerability was related to the Windows Installer service, which could be abused to delete files or directories. And yes, the vulnerability could be used to escalate privileges and execute code as SYSTEM.
Naceri noted that the best workaround would be to wait for Microsoft to release a security patch for the problem, “due to the complexity of this vulnerability.”
“Any attempt to patch the binary directly will break Windows Installer,” he went on. “So you better wait and see how Microsoft will screw the patch again.”
The Register contacted Microsoft regarding this vulnerability and will update should the IT goliath respond. ®
Proof-of-concept exploit code for a post-authentication remote-code execution hole (CVE-2021-42321) in Microsoft Exchange Server 2016 and 2019 has been released. Redmond patched this vulnerability earlier this month.