A security researcher has publicly disclosed an exploit for a new Windows zero-day local privilege elevation vulnerability that gives admin privileges in Windows 10, Windows 11, and Windows Server. Researchers have tested the exploit and used it to open a command prompt with SYSTEM privileges from an account with only low-level ‘Standard’ privileges. Using this vulnerability, threat actors with limited access to a compromised device can easily elevate their privileges to help move laterally within the network. The vulnerability affects all supported versions of Windows, including Windows 10, Windows 11, and Windows Server 2022. As part of the November 2021 Patch Tuesday, Microsoft fixed a ‘Windows Installer Elevation of Privilege’ vulnerability tracked as CVE-2021-41379. This vulnerability was discovered by security researcher Abdelhamid Naceri, who found a bypass to the patch and a more powerful new zero-day privilege elevation vulnerability after examining Microsoft’s fix. Yesterday, Naceri published a working proof-of-concept exploit for the new zero-day on GitHub, explaining that it works on all supported versions of Windows. “This variant was discovered during the analysis of the CVE-2021-41379 patch. The bug was not fixed correctly, however, instead of dropping the bypass,” explains Naceri in his writeup, “I have chosen to actually drop this variant as it is more powerful than the original one.” Furthermore, Naceri explained that while it is possible to configure group policies to prevent ‘Standard’ users from performing MSI installer operations, his zero-day bypasses this policy. Additional researchers tested Naceri’s ‘InstallerFileTakeOver’ exploit, and it only took a few seconds to gain SYSTEM privileges from a test account with ‘Standard’ privileges.
Naceri warned that it is not advised to try and fix the vulnerability by attempting to patch the binary as it will likely break the installer. “The best workaround available at the time of writing this is to wait for Microsoft to release a security patch, due to the complexity of this vulnerability,” explained Naceri. Due to the criticality of this vulnerability, organizations should install the security patch as soon as possible once it is released.