A security researcher has publicly disclosed an exploit for a new Windows zero-day local privilege elevation vulnerability that gives admin privileges in Windows 10, Windows 11, and Windows Server.
BleepingComputer has tested the exploit and used it to open to command prompt with SYSTEM privileges from an account with only low-level 'Standard' privileges.
Using this vulnerability, threat actors with limited access to a compromised device can easily elevate their privileges to help spread laterally within the network.
The vulnerability affects all supported versions of Windows, including Windows 10, Windows 11, and Windows Server 2022.
Researcher releases bypass to patched vulnerability
As part of the November 2021 Patch Tuesday, Microsoft fixed a 'Windows Installer Elevation of Privilege Vulnerability' vulnerability tracked as CVE-2021-41379.
This vulnerability was discovered by security researcher Abdelhamid Naceri, who found a bypass to the patch and a more powerful new zero-day privilege elevation vulnerability after examining Microsoft's fix.
Yesterday, Naceri published a working proof-of-concept exploit for the new zero-day on GitHub, explaining that it works on all supported versions of Windows.
"This variant was discovered during the analysis of CVE-2021-41379 patch. the bug was not fixed correctly, however, instead of dropping the bypass," explains Naceri in his writeup. "I have chosen to actually drop this variant as it is more powerful than the original one."
Furthermore, Naceri explained that while it is possible to configure group policies to prevent 'Standard' users from performing MSI installer operations, his zero-day bypasses this policy and will work anyway.
BleepingComputer tested Naceri's 'InstallerFileTakeOver' exploit, and it only took a few seconds to gain SYSTEM privileges from a test account with 'Standard' privileges, as demonstrated in the video below.
The test was performed on a fully up-to-date Windows 10 21H1 build 19043.1348 install.
When BleepingComputer asked Naceri why he publicly disclosed the zero-day vulnerability, we were told he did it out of frustration over Microsoft's decreasing payouts in their bug bounty program.
"Microsoft bounties has been trashed since April 2020, I really wouldn't do that if MSFT didn't take the decision to downgrade those bounties," explained Naceri.
Naceri is not alone in his concerns about what researchers feel is the reduction in bug bounty awards.
Under Microsoft's new bug bounty program one of my zerodays has gone from being worth $10,000 to $1,000
— MalwareTech (@MalwareTechBlog) July 27, 2020
BE CAREFUL! Microsoft will reduce your bounty at any time! This is a Hyper-V RCE vulnerability be able to trigger from a Guest Machine, but it is just eligible for a $5000.00 bounty award under the Windows Insider Preview Bounty Program. Unfair! @msftsecresponse
— rthhh (@rthhh17) November 9, 2021
@msftsecurity pic.twitter.com/sJw3cjsliF
Microsoft told BleepingComputer that they are aware of the public disclosure for this vulnerability.
“We are aware of the disclosure and will do what is necessary to keep our customers safe and protected. An attacker using the methods described must already have access and the ability to run code on a target victim's machine.” – a Microsoft spokesperson.
As is typical with zero days, Microsoft will likely fix the vulnerability in an upcoming Patch Tuesday update.
However, Naceri warned that it is not advised for third-party patching companies to try and fix the vulnerability by attempting to patch the binary as it will likely break the installer.
"The best workaround available at the time of writing this is to wait Microsoft to release a security patch, due to the complexity of this vulnerability," explained Naceri.
"Any attempt to patch the binary directly will break windows installer. So you better wait and see how Microsoft will screw the patch again."
Since publishing this story, Cisco Talos researchers have discovered that threat actors have begun to abuse this vulnerability with malware.
"During our investigation, we looked at recent malware samples and were able to identify several that were already attempting to leverage the exploit," Cisco Talos' Head of Outreach Nick Biasini told BleepingComputer
"Since the volume is low, this is likely people working with the proof of concept code or testing for future campaigns. This is just more evidence on how quickly adversaries work to weaponize a publicly available exploit."
Update 11/23/21 - Added statement from Microsoft.
Update 11/24/21 - Updated story about the zero-day being used in malware attacks.
Comments
Some-Other-Guy - 2 years ago
I fail to understand why anyone would seek a bug bounty from Microsoft in the first place
They simply maintain Monopoly Control from your hard work so they don't have to work
Stop paying for your own enslavement!
GT500 - 2 years ago
A bug bounty is where a company (such as Microsoft) pays you for reporting a vulnerability. If you don't want to do it, then that's OK, because there are plenty of people who enjoy earning tons of money from companies for helping them discover their security issues.
Some-Other-Guy - 2 years ago
The complaints in the story indicate they are NOT making tons of money?
Didn't you read that far?
GT500 - 2 years ago
@Some-Other-Guy Microsoft has apparently reduced some of their payouts for reported vulnerabilities, however it didn't say all of them.
NoneRain - 2 years ago
https://www.microsoft.com/en-us/msrc/bounty?rtc=1
https://www.securityweek.com/microsoft-pays-50000-bounty-account-takeover-vulnerability
right
doriel - 2 years ago
Bug bounty has at least some revenue.. I agree with you and the worst is Windows "Insider" aka unpayed betatester. People are blind..
Parneverhood - 2 years ago
I guess ethics don't mean much to Naceri.
Some-Other-Guy - 2 years ago
Very True!
You have to guess that ethics don't mean much to Naceri.
With Microsoft, there is no need to guess
pjeganat - 2 years ago
This Exploit was unknown, Until You post it @BleepingComputer
fairtradesecurity - 2 years ago
You think threat actors are going to bleeping computer for their zero days? This article helps make defenders aware. @pjeganat
MisterVVV - 2 years ago
Closing your eyes will not mean that the Exploint does not exist.
In some ways, I think it is good that the information about Exploits is shown to the "public". This forces the responsible companies to act.
best regards
// MisterVVV
Dut - 2 years ago
No such vulnerability if you purged Edge from your system and use another browser
because it's an Edge elevation / update services exploit foremost.
And it's finally detected by the dumb Defender with all the fancy Cloud, ATP, Core Isolation..
..2 days later
https://www.reddit.com/r/firefox/comments/juo33k/how_was_mozilla_firefox_pushed_behind_edge_any/gci01e1/
herbman - 2 years ago
No such vulnerability if you purged Edge from your system
I would love to be able to get rid of "Edge" permanently but as usual MS keeps shoving it in our faces insisting that we like it .
If you know a way to permanently remove it and not have it come back please reveal the method.
Thank you kindly
Dut - 2 years ago
that linked reddit post works. it does not come back
doriel - 2 years ago
Switch to GNU/Linux and you wont be slave anymore. You dont need Windows. Windows needs you.
thisismebb22 - 2 years ago
The release build (32bit) from Naceri doesn't appear to work on a 64bit system unless IIS is installed. True for others testing the concept and how systems may be compromised?
SeZell - 2 years ago
Zero-day? Was it found being actively exploited in the wild?
No? Not a zero-day.
Lawrence Abrams - 2 years ago
A vulnerability does not have to be actively exploited to be a zero-day. It just needs to be publicly disclosed without an available patch.
As for it being abused, yes, it has now been detected used by malware.
https://www.bleepingcomputer.com/news/security/malware-now-trying-to-exploit-new-windows-installer-zero-day/
Oliver55h - 2 years ago
How can I stop my browser from redirecting .
This is a bounty account take over or something, someone reporting my device usage using targeted advertising, they are also on my google account , everything I do, he monitors and report it very wrongly causing me and my usage difficulty
zuluhutu - 2 years ago
Hello all,
is there a new CVE for this exploit, so that we can find it on Microsoft MSRC?
Also is there a security patch released for this?