Unpatched Windows vulnerability allows attackers to gain admin rights
Security researcher Abdelhamid Naceri published a public exploit on GitHub yesterday that allows anyone to gain administrative rights on Windows devices using an unpatched exploit. The exploit works on all supported client and server versions of Windows according to Naceri, including Windows 11 and Windows Server 2022 with the latest patches, November 2021 security patches at the time of writing, installed.
We confirmed the exploit on a Windows 10 version 21H2 test system. Executed locally on a standard user account, we managed to gain elevated privileges using the exploit. Bleeping Computer did test the exploit as well and found it to be working.
Microsoft did patch CVE-2021-41379 in the November 2021 patches, a Windows Installer Elevation of Privilege Vulnerability, which was discovered by Naceri as well.
Naceri found a variant of the patched exploit "during analysis of CVE-2021-41379", noting that the initial issue was not patched correctly. He decided against publishing a bypass for the patch that Microsoft released, stating that the new variant that he published instead "is more powerful than the original one".
The researcher describes the proof of concept in the following way:
I have also made sure that the proof of concept is extremely reliable and doesn't require anything, so it works in every attempt. The proof of concept overwrite Microsoft Edge elevation service DACL and copy itself to the service location and execute it to gain elevated privileges.
While this technique may not work on every installation, because windows installations such as server 2016 and 2019 may not have the elevation service. I deliberately left the code which take over file open, so any file specified in the first argument will be taken over with the condition that SYSTEM account must have access to it and the file mustn't be in use. So you can elevate your privileges yourself.
Running standard user accounts, instead of accounts with administrative privileges, is considered a good security practice as doing so may limit what successful exploits and attacks may do on a system.
Naceria notes that his exploit is not affected by a policy that may prevent standard users from performing MSI operations.
He plans to drop the bypass to the vulnerability patched in November 2021 after Microsoft produces a patch for the vulnerability discussed in this article.
Windows administrators and users should wait for a patch nevertheless according to Naceri, as "any attempt to patch the binary directly will break windows installer".
Bleeping Computer asked Naceri why he did not report the vulnerability to Microsoft before publication. Naceri responded that it is a reaction to Microsoft cutting bug bounties for reported vulnerabilities.
Now You: do you run standard or admin accounts by default?
Windows incomplete november patches updates are a delicated hole. Microsoft want your machine hijacked.
A delicate hole, yeah… LOL, Microsoft *has* your machine hijacked once you have connected to the internet.
What’s Windows? Haven’t used it in years.
Meanwhile the Windows team play around with webview junk and fake 3D emojis. What a joke Microsoft has become.
No need to be worried about, we have now new Fluent 2D icons! Just enjoy funny side of W11! :]
“Fluent,” yet another meaningless term. Fluent at what, Esperanto? I’m still trying to grasp “material.” Wood, iron, concrete, what?
Didn’t you noticed the ironic sense of my comment? :[
> Now You: do you run standard or admin accounts by default?
Wouldn’t YOU like to know!? FYI Linux and not just ANY Linux,so that answers that.
@beemeup5
MS has Goldfish like memory, 10 seconds span.
Why would they learn from past mistakes and maybe risk making new mistakes?
I believe they believe making same mistakes over and over is more ecologically friendly, cause recycling is important!
The proof is in the pudding… Everything MS, shows the same pattern.
At least Microsoft is consistent, right? RIGHT?! ;)
Q: – “What is the definition of insanity?”
A: – “Continue to repeat the same action, while expecting different results”
Micro$oft has been hard at work compiling a machine that will continuously shoot themselves in the foot. They learned nothing from the Internet Explorer days because now Edge is being used for the exact same class of privilege escalation exploits. Had MS not been so adamant about integrating Edge into every nook and cranny of Windows these root level exploits just wouldn’t be possible. If Edge was compartmentalized like other applications, e.g. Firefox or Chrome, these wide attack surfaces just wouldn’t exist. There’s a very good reason why the majority of Windows vulnerabilities are related to Internet Explorer or RDP.
And then Microshaft decided to double-down on sabotaging themselves by decreasing the bounty for such a severe exploit from $10,000 to just $1,000. I guess the potential losses incurred as a result of these exploits being used in the wild doesn’t amount to much according to MS. I guess they believe the free market just isn’t a thing because there’s no way a talented bug bounty hunter would EVER think to sell to a higher bidder am I right?