{"id":19804,"date":"2021-05-07T00:10:00","date_gmt":"2021-05-06T22:10:00","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=19804"},"modified":"2022-06-27T09:19:41","modified_gmt":"2022-06-27T07:19:41","slug":"0patch-fixt-windows-installer-lpe-bug-cve-2021-26415","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2021\/05\/07\/0patch-fixt-windows-installer-lpe-bug-cve-2021-26415\/","title":{"rendered":"0patch fixes Windows Installer LPE-Bug (CVE-2021-26415)"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"margin: 0px 10px 0px 0px\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\">[<a href=\"https:\/\/www.borncity.com\/blog\/?p=252868\" target=\"_blank\" rel=\"noopener\">German<\/a>]ACROS Security has released a micropatch for the CVE-2021-26415 vulnerability in Windows Installer. This vulnerability was patched by Microsoft in April 2021 via a security update. The 0patch solution is for people who do not have an ESU license.<\/p>\n<p><!--more--><\/p>\n<h2>The vulnerability CVE-2021-26415<\/h2>\n<p>Vulnerability <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-26415\" target=\"_blank\" rel=\"noopener\">CVE-2021-26415<\/a> is a vulnerability in Windows Installer that allows Elevation of Privilege on Windows. This vulnerability allows local attackers to write data to arbitrary files on affected installations of Microsoft Windows. An attacker must first gain the ability to execute low-privilege code on the target system to exploit this vulnerability.  <\/p>\n<p>The specific flaw exists within the Windows Installer service. The issue results from the lack of proper validation of a user-supplied path before it is used in file operations. An attacker can exploit this vulnerability to escalate privileges and execute arbitrary code in the context of an administrator. The vulnerability is a classic symbolic link issue where a privileged process (in this case msiexec.exe) operates on a file (in this case the installer log file) that the attacker can \"redirect\" to another location where they do not have privileges to create or modify files.<\/p>\n<p>Microsoft has released security updates for Windows Server 2008 R2 through Windows Server 2004 and 20H2 as of April 13, 2021. However, Windows Server 2008 R2 systems will only receive this security update if a valid ESU license is in place. On April 21, security researcher Adrian Denkiewicz published a <a href=\"https:\/\/www.cloaked.pl\/2021\/04\/cve-2021-26415\/\" target=\"_blank\" rel=\"noopener\">detailed analysis<\/a> of the local privilege escalation vulnerability in Windows Installer, which was fixed in the April 2021 Windows Updates. Adrian's analysis included a proof-of-concept.&nbsp; <\/p>\n<h2>0patch Micropatch for Windows 7\/Server 2008 R2<\/h2>\n<p>Mitja Kolsek of ACROS Security points out in the following <a href=\"https:\/\/twitter.com\/0patch\/status\/1390313842534756356\" target=\"_blank\" rel=\"noopener\">tweet<\/a> that there is a micropatch for the vulnerability in Windows Installer for Windows 7 SP1 and Windows Server 2008 R2.  <\/p>\n<p><a href=\"https:\/\/twitter.com\/0patch\/status\/1390313842534756356\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" title=\"0Patch Fix f&uuml;r CVE-2021-26415\" alt=\"0Patch Fix f&uuml;r CVE-2021-26415\" src=\"https:\/\/i.imgur.com\/relkjJa.png\"><\/a>  <\/p>\n<p>The micropatch is available for systems running Windows 7 SP1 and Windows Server 2008 R2 that do not have Extended Security Update support (ESU) from Microsoft, but have an opatch Pro subscription (for 23 Euro+VAT\/year) &#8211; see also <a href=\"https:\/\/blog.0patch.com\/2021\/05\/another-windows-installer-local.html\" target=\"_blank\" rel=\"noopener\">this blog post<\/a>. Notes on how the 0patch agent works, which loads the micropatches into memory at runtime of an application, can be found in the blog posts (like <a href=\"https:\/\/www.borncity.com\/blog\/2020\/03\/05\/windows-7-mit-der-0patch-lsung-absichern-teil-2\/\">here<\/a>). <\/p>\n<p><strong>Similar articles:<br \/><\/strong><a href=\"https:\/\/borncity.com\/win\/2020\/03\/05\/windows-7-forcing-february-2020-security-updates-part-1\/\">Windows 7: Forcing February 2020 Security Updates<\/a> \u2013 Part 1<br \/><a href=\"https:\/\/borncity.com\/win\/2020\/03\/05\/windows-7-securing-with-the-0patch-solution-part-2\/\">Windows 7: Securing with the 0patch solution<\/a> \u2013 Part 2<br \/><a href=\"https:\/\/borncity.com\/win\/2020\/11\/08\/0patch-untersttzt-office-2010-nach-dem-supportende-mit-micropatch\/\">0patch supports Office 2010 with micro patches after the end of support (EOL)<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2019\/09\/22\/windows-7-server-2008-r2-0patch-liefert-sicherheitspatches-nach-supportende\/\">Windows 7\/Server 2008\/R2: 0patch delivers security patches after support ends<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/01\/30\/project-windows-7-server-2008-r2-life-extension-0patch-one-month-trial\/\">Project: Windows 7\/Server 2008\/R2 Life Extension &amp; 0patch one month trial<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/01\/21\/0patch-fix-for-internet-explorer-0-day-vulnerability-cve-2020-0674\/\">0patch: Fix for Internet Explorer 0-day vulnerability CVE-2020-0674<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/03\/14\/0patch-fix-for-windows-installer-flaw-cve-2020-0683\/\">0patch: Fix for Windows Installer flaw CVE-2020-0683<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/03\/20\/0patch-fix-for-windows-gdi-vulnerability-cve-2020-0881\/\">0patch fix for Windows GDI+ vulnerability CVE-2020-0881<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/03\/24\/0-day-vulnerability-in-windows-adobe-type-library\/\">0-day vulnerability in Windows Adobe Type Library<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/04\/23\/0patch-fixt-cve-2020-0687-in-windows-7-server-2008-r2\/\">0patch fixes CVE-2020-0687 in Windows 7\/Server 2008 R2<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/05\/21\/0patch-fixes-cve-2020-1048-in-windows-7-server-2008-r2\/\">0patch fixes CVE-2020-1048 in Windows 7\/Server 2008 R2<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/05\/27\/0patch-fixt-cve-2020-1015-in-windows-7-server-2008-r2\/\">0patch fixes CVE-2020-1015 in Windows 7\/Server 2008 R2<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/07\/10\/0patch-fr-0-day-rce-schwachstelle-in-zoom-fr-windows\/\">0patch for 0-day RCE vulnerability in Zoom for Windows<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/07\/18\/windows-server-2008-r2-0patch-fixes-sigred-vulnerability\/\">Windows Server 2008 R2: 0patch fixes SIGRed vulnerability<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/08\/12\/0patch-fixt-cve-2020-1113-in-windows-7-server-2008-r2\/\">0patch fixes CVE-2020-1113 in Windows 7\/Server 2008 R2<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/09\/02\/0patch-fixt-cve-2020-1337-in-windows-7-server-2008-r2\/\">0patch fixes CVE-2020-1337 in Windows 7\/Server 2008 R2<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/09\/11\/0patch-fixt-cve-2020-1530-in-windows-7-server-2008-r2\/\">0patch fixes CVE-2020-1530 in Windows 7\/Server 2008 R2<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/09\/18\/0patch-fixt-zerologon-cve-2020-1472-in-windows-server-2008-r2\/\">0patch fixes Zerologon (CVE-2020-1472) vulnerability in Windows Server 2008 R2<\/a><br \/><a href=\"https:\/\/web.archive.org\/web\/20210621200302\/https:\/\/borncity.com\/win\/2020\/10\/17\/0patch-fixt-cve-2020-1062-in-windows-7-server-2008-r2\/\">0patch fixes CVE-2020-1062 in Windows 7\/Server 2008 R2<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/11\/19\/0patch-fixt-cve-2020-1300-in-windows-7-server-2008-r2\/\">0patch fixes CVE-2020-1300 in Windows 7\/Server 2008 R2<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/11\/26\/0patch-fixt-0-day-schwachstelle-in-windows-7-server-2008-r2\/\">0patch fixes 0-day vulnerability in Windows 7\/Server 2008 R2<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/12\/24\/0patch-fixt-cve-2020-1013-in-windows-7-server-2008-r2\/\">0patch fixes CVE-2020-1013 in Windows 7\/Server 2008 R2<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2021\/01\/08\/0patch-fixt-local-privilege-escalation-0-day-in-sysinternals-psexec\/\">0patch fixes a Local Privilege Escalation 0-day in Sysinternals PsExec<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2021\/01\/28\/0patch-fixt-windows-installer-0-day-local-privilege-escalation-schwachstelle\/\">0patch fixes Windows Installer 0-day Local Privilege Escalation vulnerability<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2021\/02\/08\/0patch-fixt-0-day-im-internet-explorer\/\">0patch fixes 0-day in Internet Explorer<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2021\/03\/24\/0patch-fixt-cve-2021-2687-im-dns-server-von-windows-server-2008-r2\/\">0patch fixes CVE-2021-26877 in the DNS server of Windows Server 2008 R2<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]ACROS Security has released a micropatch for the CVE-2021-26415 vulnerability in Windows Installer. This vulnerability was patched by Microsoft in April 2021 via a security update. The 0patch solution is for people who do not have an ESU license.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,2],"tags":[69,17,18],"class_list":["post-19804","post","type-post","status-publish","format-standard","hentry","category-security","category-windows","tag-security","tag-windows-7","tag-windows-server-2008-r2"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/19804","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=19804"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/19804\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=19804"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=19804"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=19804"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}