Researcher discovered a “more powerful” variant of an elevation-of-privilege flaw for which Microsoft released a botched patch earlier this month.
Attackers are actively exploiting a Windows Installer zero-day vulnerability that was discovered when a patch Microsoft issued for another security hole inadequately fixed the original & unrelated problem.
Over the weekend, security researcher Abdelhamid Naceri discovered a Windows Installer elevation-of-privilege vulnerability tracked as CVE-2021-41379 that Microsoft patched a couple of weeks ago as part of its Nov. Patch Tues. updates.
Found a Bypass
However, after examining the fix, Naceri found a bypass as well as an even more concerning zero-day privilege-elevation bug. The researcher posted a proof of concept (POC) exploit Tues. on GitHub for the newly discovered bug that he stated works on all currently supported versions of Windows.
If exploited, the POC, called InstallerFileTakeOver, gives a player administration privileges in Windows 10, Windows 11 & Windows Server when logged onto a Windows machine with Edge installed.
Research Confirms Exploit & Active Attacks
Researchers at Cisco Talos Security Intelligence & Research Group as well as others confirmed the POC can be reproduced as well as corroborating evidence that threat players were already exploiting the bug.
“This vulnerability affects every version of Microsoft Windows, including fully patched Windows 11 & Server 2022,” according to a post on the Cisco Talos blog by Jaeson Schultz, technical leader for Cisco Talos. “Talos has already detected malware samples in the wild that are attempting to take advantage of this vulnerability.”
Other researchers also confirmed on Twitter that the POC functions as advertised to deliver local privilege escalation.
“Can confirm this works, local priv esc,” tweeted security researcher Kevin Beaumont, who stated he tested it on Windows 10 20H2 & Windows 11. “The prior patch MS issued didn’t fix the issue properly.”
Discovery & Details
As detailed by Microsoft, CVE-2021-41379 is a Windows Installer elevation of privilege vulnerability with a rating of low on the Common Vulnerability Scoring System.
“An attacker would only be able to delete targeted files on a system,” according to Microsoft’s notes on the flaw. “They would not gain privileges to view or modify file contents.”
However, Microsoft’s patch for the bug did not fix the vulnerability correctly, allowing Naceri to bypass it during his analysis of the patch, he said in his GitHub post of the POC.
However, that bypass was minimal compared to a variant of CVE-2021-41379 that he discovered during his research that is “more powerful than the original one,” which is why Naceri chose to publish a POC of that flaw instead, he wrote.
The code Naceri released uses the discretionary access control list (DACL) for Microsoft Edge Elevation Service to replace any executable file on the system with an MSI file, allowing an attacker to run code as an administrator, Cisco Talos’ Schultz explained in his post.
Wait for the Patch
The associated POC works in every supporting windows installation, including Windows 11 & Server 2022 with the Nov. 2021 patch, as well as in server installations, Naceri wrote.
“While group policy by default doesn’t allow standard users to do any MSI operation, the administrative install feature thing seems to be completely bypassing group policy,” he wrote.
Due to the “complexity” of the vulnerability, Naceri explained that the best workaround available for the flaw at this time “is to wait Microsoft to release a security patch.
“Any attempt to patch the binary directly will break Windows installer,” he wrote, adding that those affected should “wait & see how Microsoft will screw the patch again” before taking any mitigation action.
A Microsoft spokesperson told Bleeping Computer that the company is aware of Naceri’s disclosure & “will do what is necessary” to keep customers “safe & protected,” according to a published report.
“An attacker using the methods described must already have access & the ability to run code on a target victim’s machine,” the spokesperson concluded, according to the report.