An exploit for a new Windows zero-day local privilege elevation vulnerability that grants admin rights in Windows 10, Windows 11, and Windows Server has been publicly revealed by a security researcher.
The vulnerability was tested by BleepingComputer, who used it to open a command prompt with SYSTEM capabilities from a user account with only ‘Standard’ privileges.
Threat actors with limited access to a compromised device might simply elevate their privileges to help spread laterally within the network by exploiting this vulnerability.
All supported versions of Windows, including Windows 10, Windows 11, and Windows Server 2022, are vulnerable.
Microsoft addressed a CVE-2021-41379. ‘Windows Installer Elevation of Privilege Issue’ vulnerability as part of the November 2021 Patch Tuesday.
After reviewing Microsoft’s update, security researcher Abdelhamid Naceri uncovered a bypass to the patch as well as a more potent new zero-day privilege escalation issue.
Naceri posted a successful proof-of-concept exploit for the new zero-day on GitHub yesterday, claiming that it works on all supported Windows versions.
“This variant was discovered during the analysis of CVE-2021-41379 patch. the bug was not fixed correctly, however, instead of dropping the bypass,” explains Naceri in his writeup. “I have chosen to actually drop this variant as it is more powerful than the original one.”
Furthermore, while group policies can be configured to block ‘Standard’ users from executing MSI installation operations, Naceri’s zero-day exploit bypasses this policy and still works.
The ‘InstallerFileTakeOver’ exploit was tested by BleepingComputer, and it only took a few seconds to get SYSTEM privileges from a test account with ‘Standard’ privileges, as shown in the video below.
The test was run on a fresh installation of Windows 10 21H1 build 19043.1348.
When we questioned Naceri why he publicly exposed the zero-day vulnerability, he said it was due to his unhappiness with Microsoft’s bug bounty program’s declining compensation.
“Microsoft bounties has been trashed since April 2020, I really wouldn’t do that if MSFT didn’t take the decision to downgrade those bounties,” explained Naceri.
Naceri isn’t alone in his dissatisfaction with what researchers believe is a decrease in bug bounty rewards.
Under Microsoft's new bug bounty program one of my zerodays has gone from being worth $10,000 to $1,000 💀
— MalwareTech (@MalwareTechBlog) July 27, 2020
BE CAREFUL! Microsoft will reduce your bounty at any time! This is a Hyper-V RCE vulnerability be able to trigger from a Guest Machine, but it is just eligible for a $5000.00 bounty award under the Windows Insider Preview Bounty Program. Unfair! @msftsecresponse
— rthhh (@rthhh17) November 9, 2021
“We are aware of the disclosure and will do what is necessary to keep our customers safe and protected. An attacker using the methods described must already have access and the ability to run code on a target victim’s machine.” – a Microsoft spokesperson.
Microsoft will most likely remedy the vulnerability in an upcoming Patch Tuesday release, as is customary with zero days.
However, third-party patching businesses should avoid attempting to solve the vulnerability by patching the binaries because this will most likely disrupt the installation, according to Naceri.