Windows vulnerability

A security researcher has publicly disclosed an exploit for a brand contemporary House windows zero-day native privilege elevation vulnerability that affords admin privileges in House windows 10, House windows 11, and House windows Server.

BleepingComputer has tested the exploit and frequent it to begin to direct suggested with SYSTEM privileges from an account with entirely low-stage ‘Fashioned’ privileges.

The usage of this vulnerability, threat actors with dinky access to a compromised instrument can with out issues elevate their privileges to motivate spread laterally inner the community.

The vulnerability affects all supported variations of House windows, including House windows 10, House windows 11, and House windows Server 2022.

Researcher releases bypass to patched vulnerability

As part of the November 2021 Patch Tuesday, Microsoft mounted a ‘House windows Installer Elevation of Privilege Vulnerability’ vulnerability tracked as CVE-2021-41379.

This vulnerability become stumbled on by safety researcher Abdelhamid Naceri, who stumbled on a bypass to the patch and a extra extremely efficient contemporary zero-day privilege elevation vulnerability after inspecting Microsoft’s repair.

The day prior to this, Naceri printed a working proof-of-conception exploit for the contemporary zero-day on GitHub, explaining that it works on all supported variations of House windows.

“This variant become stumbled on real thru the prognosis of CVE-2021-41379 patch. the bug become no longer mounted accurately, nonetheless, as one more of losing the bypass,” explains Naceri in his writeup. “I even bag chosen to indubitably fall this variant as it’s some distance extra extremely efficient than the customary one.”

Furthermore, Naceri outlined that whereas it’s some distance feasible to configure crew policies to cease ‘Fashioned’ customers from performing MSI installer operations, his zero-day bypasses this coverage and must work anyway.

BleepingComputer tested Naceri’s ‘InstallerFileTakeOver’ exploit, and it entirely took about a seconds to blueprint SYSTEM privileges from a test account with ‘Fashioned’ privileges, as demonstrated in the video beneath.

The test become performed on a actually up-to-date House windows 10 21H1 construct 19043.1348 set up.

When BleepingComputer asked Naceri why he publicly disclosed the zero-day vulnerability, we bag been suggested he did it out of frustration over Microsoft’s lowering payouts in their bug bounty program.

“Microsoft bounties has been trashed since April 2020, I indubitably would no longer live that if MSFT did not hang the resolution to downgrade those bounties,” outlined Naceri.

Naceri will not be any longer on my own in his concerns about what researchers in fact feel is the low cost in bug bounty awards.

Beneath Microsoft’s contemporary bug bounty program one of my zerodays has gone from being worth $10,000 to $1,000 

— MalwareTech (@MalwareTechBlog) July 27, 2020

BE CAREFUL! Microsoft will decrease your bounty at any time! Here’s a Hyper-V RCE vulnerability be ready to trigger from a Guest Machine, but it’s some distance merely eligible for a $5000.00 bounty award beneath the House windows Insider Preview Bounty Program. Unfair! @msftsecresponse


— rthhh (@rthhh17) November 9, 2021

BleepingComputer has reached out to Microsoft relating to the disclosed zero-day and must update the article if we receive a reply.

As is conventional with zero days, Microsoft will likely repair the vulnerability in a future Patch Tuesday update.

Nonetheless, Naceri warned that it’s no longer informed to hang a gaze at and repair the vulnerability by making an strive to patch the binary as this would possibly perhaps furthermore merely likely ruin the installer.

“The true workaround on hand at the time of writing here’s to lend a hand Microsoft to release a security patch, attributable to the complexity of this vulnerability,” outlined Naceri.

“Any strive and patch the binary today will ruin home windows installer. So you better wait and spy how Microsoft will screw the patch again.”

Comments to: Fresh House windows zero-day with public exploit allows you to change into an admin

Your email address will not be published. Required fields are marked *

Attach images - Only PNG, JPG, JPEG and GIF are supported.


Welcome to Typer

Brief and amiable onboarding is the first thing a new user sees in the theme.
Join Typer
Registration is closed.