Zero-day vulnerability could give an attacker admin access in Windows 11 and older
A security researcher has revealed a serious vulnerability affecting Windows 10, Windows 11 and Windows Server. By exploiting the vulnerability, an attacker would be able to easily gain administrative privileges on a victim's system.
The discovery and revelation were made by Abdelhamid Naceri, during his research on a Microsoft patch for another vulnerability tracked as CVE-2021-41379. He was able to bypass the patch for the Windows Installer Elevation of Privilege Vulnerability and also discovered another serious zero-day for which he has shared a proof-of-concept exploit.
- Want to know how to speed up Windows 11? Just wait...
- You can now download a free Windows 11 Enterprise virtual machine from Microsoft
- How to view saved Wi-Fi passwords in Windows 11
Writing about the exploit on GitHub, Naceri says: "this works in every supporting windows installation. Including Windows 11 and Server 2022 with November 2021 patch. As some of you might notice, this also works in server installations. While group policy by default doesn't allow standard users to do any msi operation. The administrative install feature thing seems to be completely bypassing group policy".
He goes on to explain:
This variant was discovered during the analysis of CVE-2021-41379 patch. the bug was not fixed correctly, however, instead of dropping the bypass. I have chosen to actually drop this variant as it is more powerful than the original one.
I have also made sure that the proof of concept is extremely reliable and doesn't require anything, so it works in every attempt. The proof of concept overwrite[s] Microsoft Edge elevation service DACL and cop[ies] itself to the service location and execute[s] it to gain elevated privileges. While this technique may not work on every installation, because windows installations such as server 2016 and 2019 may not have the elevation service. I deliberately left the code which take[s] over file open, so any file specified in the first argument will be taken over with the condition that SYSTEM account must have access to it and the file mustn't be in use. So you can elevate your privileges yourself.
As this is a zero-day vulnerability, there is no patch at the moment. Unfortunately, there is also no known workaround right now, but there is some advice: "The best workaround available at the time of writing this is to wait [for] Microsoft to release a security patch, due to the complexity of this vulnerability. Any attempt to patch the binary directly will break windows installer. So you better wait and see how Microsoft will screw the patch again".
The researcher finishes off by issuing a warning about another vulnerability, details of which will be revealed when Microsoft patches this first one:
While I was working on CVE-2021-41379 patch bypass. I was successfully able to product 2 msi packages, each of them trigger a unique behavior in windows installer service. One of them is the bypass of CVE-2021-41379 and this one. I decided to actually not drop the second until Microsoft patches this one. So Be ready !
More details are available over on GitHub.