[German]A security researcher has found a 0-day vulnerability in Windows Installer that allows a local attacker to gain administrative privileges. The 'Windows Installer Elevation of Privilege' vulnerability CVE-2021-41379 has been patched in November 2021. But there is a workaround, the patch is ineffective. All Windows versions are affected, including Windows 10, that brand new Windows 11, and all Windows Server versions.
Advertising
I came across the following tweet from Will Dormann a few hours ago, which briefly touches on the problem and points to the findings of security researcher Abdelhamid Naceri.
In a follow-up tweet, a security researcher asks for details and receives the answer from Will Dormann that the exploitation follows a primitive strategy: A scheduled task is addressed, from which the privileges are inherited. During the next code execution, the process runs with the respective privileges.
If you need to avoid task scheduling, you can use the same proof of concept (POC) to create a file that does not exist in an otherwise protected location (e.g., c:\windows\wptsextensions.dll). Then this location lets an attacker drop whatever he wants, he just has to wait for the computer to reboot.
Advertising
Security researcher Abdelhamid Naceri has published the InstallerFile-Takeover exploit on Github. The variant of the vulnerability was discovered by him during the analysis of the patch CVE-2021-41379. This is because the original 'Windows Installer Elevation of Privilege' vulnerability CVE-2021-41379 was indeed patched in November 2021. However, the bug originally reported by Naceri was not properly fixed or remediated. Abdelhamid Naceri therefore immediately published a proof of concept (PoC) exploit to exploit the vulnerability.
The PoC overwrites the Microsoft Edge elevation service DACL, copies itself to the service's location and executes it to gain elevated privileges. While this technique doesn't work on every installation, according to Naceri, Windows installations such as Server 2016 and 2019 may not have the Elevation Service DACL.
Bleeping Computer colleagues have been in contact with Naceri, as they write here. When asked why he was making the 0-day vulnerability public, he said he was doing so out of frustration with Microsoft's declining bounties under its bug bounty program. Naceri commented:
Microsoft bounties have been on the decline since April 2020. I really wouldn't be doing this if MSFT hadn't made the decision to downgrade those bounties.
Bleeping Computer lists other security researchers in the article with similar statements. Malwaretech, for example, complains on Twitter, in Summer 2020 that a bug bounty has been slashed from $10,000 to $1,000. Another huffy security researcher was made similiar experiences with a Hyper-V vulnerability.
The question is how quickly Microsoft will react and whether a patch will be released in December 2021. Because all Windows client versions as well as the Windows server versions are affected by the vulnerability.
