The day has a 'y' in it, so it must be time for another zero day to drop for a Microsoft product. In this case, a local privilege-elevation vulnerability to gain control of fully patched Windows 10, 11, and Server systems up to the 2022 build.
Dubbed InstallerFileTakeOver by its author Abdelhamid Naceri, the proof-of-concept code was dropped onto the Microsoft-owned GitHub and, based on our testing, does indeed seem to work. We were able to fire up a shell running with SYSTEM privileges from a lowly standard user account.
To be clear, one does need to be logged into a Windows box to elevate one's privileges, and it looks like Edge also needs to be installed – which is hard to avoid in most modern Windows installations these days. All told, the proof of concept works depressingly well. No patches are available for this particular security hole.
CERT/CC vulnerability guru Will Dormann confirmed the bad news in a tweet:
Naceri discovered the security hole while looking into Microsoft's fix for CVE-2021-41379, a vulnerability he had disclosed to the Windows giant previously. "The bug," he said, "was not fixed correctly."
"While group policy by default doesn't allow standard users to do any MSI operation," Naceri said, "The administrative install feature thing seems to be completely bypassing group policy."
It's all a bit messy, and other researchers weighed in, confirming the issue as well as upending the scorn bucket over Microsoft and its attempt at patching the problem.
Can confirm this works, local priv esc. Tested on Windows 10 20H2 and Windows 11.— Kevin Beaumont (@GossiTheDog) November 22, 2021
The prior patch MS issued didn't fix the issue properly. https://t.co/OEdmtlMZvY
As for the original issue, CVE-2021-41379, the vulnerability was related to the Windows Installer service, which could be abused to delete files or directories. And yes, the vulnerability could be used to escalate privileges and execute code as SYSTEM.
- Patching Windows Server without needing to reboot is a handy feature – but it's only available on Azure
- Intel audio drivers give Windows 11 the blues and Microsoft Installer borked following security update
- Let us give thanks that this November, Microsoft has given us just 55 security fixes, two of which are for actively exploited flaws
- AMD reveals an Epyc 50 flaws – 23 of them rated high severity. Intel has 25 bugs, too
Naceri noted that the best workaround would be to wait for Microsoft to release a security patch for the problem, "due to the complexity of this vulnerability."
"Any attempt to patch the binary directly will break Windows Installer," he went on. "So you better wait and see how Microsoft will screw the patch again."
The Register contacted Microsoft regarding this vulnerability and will update should the IT goliath respond. ®
Proof-of-concept exploit code for a post-authentication remote-code execution hole (CVE-2021-42321) in Microsoft Exchange Server 2016 and 2019 has been released. Redmond patched this vulnerability earlier this month.