You are currently viewing New Windows Installer Zero-Day Flaw exploited in the Wild

New Windows Installer Zero-Day Flaw exploited in the Wild

  • Post author:
  • Reading time:4 mins read

Microsoft recently patched a Windows Installer Elevation of Privilege vulnerability tracked as CVE-2021-41379 in its November Patch Tuesday. As we know, the security researcher Abdelhamid Naceri discovered and reported this vulnerability. But surprisingly, recently, he also found that the fix released by Microsoft can be bypassed and leveraged to achieve local privilege escalation. A Vulnerability Management Software can keep these attacks at bay.

Cisco Talos stated that it has already detected malware samples actively attempting to exploit this newly discovered Zero-Day bug. The earlier patched vulnerability had the ability to delete the targeted files on a system but not gain any privileges to modify or view the file contents. But this Zero-Day flaw is considered more powerful than it, as it can be used to replace any executable in the system with an MSI file and even allow attackers to run any code as an administrator. A good Vulnerability Management Tool can prevent these attacks.


About the Zero-Day vulnerability:

The Zero-Day flaw was present during the analysis of the patch for CVE-2021-41379. The researcher observes that the bug is not properly fixing and could be bypassing to gain the elevation privileges of an administrator. When the attacker is able to bypass the fix successfully, any normal user account attacker will be able to elevate his privileges to become an administrator. When the researcher could successfully exploit the PoC over a fully patched system. He overwrote the DACL (Discretionary Access Control List) for Microsoft Edge Elevation Service. Also, he could successfully replace any executable file on the system with an MSI file. As a result, it was possible for him to run any code on the system with administrative privileges. Although Microsoft is assigning a CVSS score of 5.5 and a temporal score of 4.8. Mentioning severity as a medium to the previous patch CVE, it is now additionally abusing after the release of the PoC by the researcher.


PoC:

On November 22nd, Naceri published a Proof-of-Concept (PoC) in Github that contained an exe file named InstallerFileTakeOver.exe. According to him, this is in execution in any support Windows versions that have a fully patched. This PoC overwrites Microsoft Edge’s elevation service DACL, copies itself to the service location, and executes it to gain elevated privileges. It may not work in Windows Server 2016 and 2019 as they don’t have the elevation service installed. The image below shows the PoC execution in a fully patched Windows 11, which overwrites the file’s access control list. “C:\Windows\system.ini” with the desiring users having administrative privileges. Further, it can replace any executable file on the system with an MSI file, allowing an attacker to run any code as an administrator.

CVE-2021-41379
Interface.
Credits: thehackernews

Impact of CVE-2021-41379:

Successful exploitation of this Zero-Day vulnerability allows an attacker to abuse the access gained to take over the compromised system fully. Download any software, delete, modify, or obtain any sensitive information stored in the machine.


Affected version by CVE-2021-41379

This CVE-2021-41379 affects every supported fully patched version of Microsoft Windows, including the installed November Patch Tuesday updates.


Solution

As of the publication of this blog, Microsoft is not releasing any patch for this vulnerability, and other fixed information is not present. There is no known workaround available due to the complexity of this vulnerability. As patching the binary would break Windows Installer. Microsoft is aware of the issue and is in expectation to patch the issue soon by releasing a security update.

We are tracking this issue for any updates and will religiously update the information once available.