Unpatched Windows vulnerability allows attackers to gain admin rights
Security researcher Abdelhamid Naceri published a public exploit on GitHub yesterday that allows anyone to gain administrative rights on Windows devices using an unpatched exploit. The exploit works on all supported client and server versions of Windows according to Naceri, including Windows 11 and Windows Server 2022 with the latest patches, November 2021 security patches at the time of writing, installed.
We confirmed the exploit on a Windows 10 version 21H2 test system. Executed locally on a standard user account, we managed to gain elevated privileges using the exploit. Bleeping Computer did test the exploit as well and found it to be working.
Microsoft did patch CVE-2021-41379 in the November 2021 patches, a Windows Installer Elevation of Privilege Vulnerability, which was discovered by Naceri as well.
Naceri found a variant of the patched exploit "during analysis of CVE-2021-41379", noting that the initial issue was not patched correctly. He decided against publishing a bypass for the patch that Microsoft released, stating that the new variant that he published instead "is more powerful than the original one".
The researcher describes the proof of concept in the following way:
I have also made sure that the proof of concept is extremely reliable and doesn't require anything, so it works in every attempt. The proof of concept overwrite Microsoft Edge elevation service DACL and copy itself to the service location and execute it to gain elevated privileges.
While this technique may not work on every installation, because windows installations such as server 2016 and 2019 may not have the elevation service. I deliberately left the code which take over file open, so any file specified in the first argument will be taken over with the condition that SYSTEM account must have access to it and the file mustn't be in use. So you can elevate your privileges yourself.
Running standard user accounts, instead of accounts with administrative privileges, is considered a good security practice as doing so may limit what successful exploits and attacks may do on a system.
Naceria notes that his exploit is not affected by a policy that may prevent standard users from performing MSI operations.
He plans to drop the bypass to the vulnerability patched in November 2021 after Microsoft produces a patch for the vulnerability discussed in this article.
Windows administrators and users should wait for a patch nevertheless according to Naceri, as "any attempt to patch the binary directly will break windows installer".
Bleeping Computer asked Naceri why he did not report the vulnerability to Microsoft before publication. Naceri responded that it is a reaction to Microsoft cutting bug bounties for reported vulnerabilities.
Now You: do you run standard or admin accounts by default?Advertisement