A security researcher has publicly disclosed an exploit for a new Windows zero-day local privilege elevation vulnerability that gives admin privileges in Windows 10, Windows 11, and Windows Server.
BleepingComputer has tested the exploit and used it to open to command prompt with SYSTEM privileges from an account with only low-level 'Standard' privileges.
Using this vulnerability, threat actors with limited access to a compromised device can easily elevate their privileges to help spread laterally within the network.
The vulnerability affects all supported versions of Windows, including Windows 10, Windows 11, and Windows Server 2022.
Researcher releases bypass to patched vulnerability
As part of the November 2021 Patch Tuesday, Microsoft fixed a 'Windows Installer Elevation of Privilege Vulnerability' vulnerability tracked as CVE-2021-41379.
This vulnerability was discovered by security researcher Abdelhamid Naceri, who found a bypass to the patch and a more powerful new zero-day privilege elevation vulnerability after examining Microsoft's fix.
Yesterday, Naceri published a working proof-of-concept exploit for the new zero-day on GitHub, explaining that it works on all supported versions of Windows.
"This variant was discovered during the analysis of CVE-2021-41379 patch. the bug was not fixed correctly, however, instead of dropping the bypass," explains Naceri in his writeup. "I have chosen to actually drop this variant as it is more powerful than the original one."
Furthermore, Naceri explained that while it is possible to configure group policies to prevent 'Standard' users from performing MSI installer operations, his zero-day bypasses this policy and will work anyway.
BleepingComputer tested Naceri's 'InstallerFileTakeOver' exploit, and it only took a few seconds to gain SYSTEM privileges from a test account with 'Standard' privileges, as demonstrated in the video below.
The test was performed on a fully up-to-date Windows 10 21H1 build 19043.1348 install.
When BleepingComputer asked Naceri why he publicly disclosed the zero-day vulnerability, we were told he did it out of frustration over Microsoft's decreasing payouts in their bug bounty program.
"Microsoft bounties has been trashed since April 2020, I really wouldn't do that if MSFT didn't take the decision to downgrade those bounties," explained Naceri.
Naceri is not alone in his concerns about what researchers feel is the reduction in bug bounty awards.
Microsoft told BleepingComputer that they are aware of the public disclosure for this vulnerability.
“We are aware of the disclosure and will do what is necessary to keep our customers safe and protected. An attacker using the methods described must already have access and the ability to run code on a target victim's machine.” – a Microsoft spokesperson.
As is typical with zero days, Microsoft will likely fix the vulnerability in an upcoming Patch Tuesday update.
However, Naceri warned that it is not advised for third-party patching companies to try and fix the vulnerability by attempting to patch the binary as it will likely break the installer.
"The best workaround available at the time of writing this is to wait Microsoft to release a security patch, due to the complexity of this vulnerability," explained Naceri.
"Any attempt to patch the binary directly will break windows installer. So you better wait and see how Microsoft will screw the patch again."
Since publishing this story, Cisco Talos researchers have discovered that threat actors have begun to abuse this vulnerability with malware.
"During our investigation, we looked at recent malware samples and were able to identify several that were already attempting to leverage the exploit," Cisco Talos' Head of Outreach Nick Biasini told BleepingComputer
"Since the volume is low, this is likely people working with the proof of concept code or testing for future campaigns. This is just more evidence on how quickly adversaries work to weaponize a publicly available exploit."
Update 11/23/21 - Added statement from Microsoft.
Update 11/24/21 - Updated story about the zero-day being used in malware attacks.