Windows New Day Zero with Public Exploit Lets You Become an Administrator

Windows vulnerability

A security researcher has publicly disclosed an exploit for a new Windows zero-day local elevation of privilege vulnerability that grants administrator privileges in Windows 10, Windows 11, and Windows Server.

TechToSee tested the exploit and used it to open Command Prompt with SYSTEM privileges from an account with only low level “Standard” privileges.

Using this vulnerability, threat actors with limited access to a compromised device can easily elevate their privileges to help spread laterally within the network.

The vulnerability affects all supported versions of Windows, including Windows 10, Windows 11, and Windows Server 2022.

Researcher releases bypass to patched vulnerability

As part of the November 2021 Patch Tuesday, Microsoft fixed a “Windows Installer Elevation of Privilege Vulnerability” vulnerability tracked as CVE-2021-41379.

This vulnerability was discovered by security researcher Abdelhamid Naceri, who discovered a patch bypass and a new, more powerful zero-day elevation of privilege vulnerability after reviewing the patch from Microsoft.

Yesterday, Naceri posted a functional proof of concept exploit for the new zero-day on GitHub, explaining that it works on all supported versions of Windows.

“This variant was discovered during the analysis of patch CVE-2021-41379. However, the bug was not corrected properly instead of removing the workaround,” Naceri explains in his article. “I chose to abandon this variant because it is more powerful than the original.”

Additionally, Naceri explained that while it is possible to configure group policies to prevent “standard” users from performing MSI install operations, its zero-day circumvents that policy and will work anyway.

TechToSee tested Naceri’s “InstallerFileTakeOver” exploit, and it only took a few seconds to gain SYSTEM privileges from a test account with “Standard” privileges, as shown in the video below.

Testing was performed on a fully updated installation of Windows 10 21H1 build 19043.1348.

When TechToSee asked Naceri why he publicly disclosed the zero-day vulnerability, we were told he did so out of frustration over Microsoft’s declining payments on its bug bounty program.

“Microsoft bonuses have been removed since April 2020, I really wouldn’t do that if MSFT didn’t make the decision to downgrade these bonuses,” Naceri explained.

Naceri isn’t the only one worried about what researchers think is the reduction in bug bounty rewards.

TechToSee has contacted Microsoft regarding the leaked zero day and will update the article if we receive a response.

As is generally the case with zero days, Microsoft will likely fix the vulnerability in a future Patch Tuesday update.

However, Naceri warned that it is not advisable to try to fix the vulnerability by trying to fix the binary as this will likely damage the installer.

“The best workaround available at the time of writing is to wait until Microsoft releases a security patch, due to the complexity of this vulnerability,” Naceri explained.

“Any attempt to patch the binary directly will damage the Windows installer. So you better wait and see how Microsoft will screw the patch again.”

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Trending this Week