Expert disclosed an exploit for a new Windows zero-day local privilege elevation issue

A researcher publicly disclosed an exploit for a new Windows zero-day local privilege elevation that can allow gaining admin privileges.

A security researcher has publicly disclosed an exploit for a new Windows zero-day local privilege elevation vulnerability that can be exploited by threat actors to achieve admin privileges in Windows 10, Windows 11, and Windows Server, BleepingComputer reported. The vulnerability can be exploited by threat actors to elevate their privileges to carry out multiple malicious activities, it was discovered by the security researcher Abdelhamid Naceri who published a working proof-of-concept exploit for the new zero-day on GitHub.

Researchers from BleepingComputer successfully tested the “InstallerFileTakeOver” exploit published by Naceri.

Naceri discovered the zero-day flaw while analyzing a security patch released by Microsoft as part of the Patch Tuesday in November for another Windows Installer elevation of privilege vulnerability, tracked as CVE-2021-41379, that the researcher reported to Microsoft.

The expert was also able to bypass the patch issued by Microsoft.

“This variant was discovered during the analysis of CVE-2021-41379 patch. the bug was not fixed correctly, however, instead of dropping the bypass. I have chosen to actually drop this variant as it is more powerful than the original one.” wrote the expert. “I have also made sure that the proof of concept is extremely reliable and doesn’t require anything, so it works in every attempt. The proof of concept overwrite Microsoft Edge elevation service DACL and copy itself to the service location and execute it to gain elevated privileges. While this technique may not work on every installation, because windows installations such as server 2016 and 2019 may not have the elevation service. I deliberately left the code which take over file open, so any file specified in the first argument will be taken over with the condition that SYSTEM account must have access to it and the file mustn’t be in use. So you can elevate your privileges yourself.”

While working on the CVE-2021-41379 patch bypass, the expert has created 2 MSI packages to trigger a unique behavior in Windows installer service, one of them is the CVE-2021-41379 bypass.

Naceri told Bleeping Computer that he publicly disclosed the zero-day because of low payouts paid by Microsoft as part of its bug bounty program.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

[adrotate banner=”5″]

[adrotate banner=”13″]