A security researcher has publicly revealed an exploit for a new Windows zero-day local privilege elevation vulnerability that grants admin rights in Windows 10, Windows 11, and Windows Server. Threat actors with restricted access to a compromised device might simply raise their privileges to help propagate laterally throughout the network by exploiting this vulnerability. All supported versions of Windows, including Windows 10, Windows 11, and Windows Server 2022, are vulnerable.
As part of Patch Tuesday of November 2021, Microsoft addressed a ‘Windows Installer Elevation of Privilege Vulnerability’ flaw tracked as CVE-2021-41379. After reviewing Microsoft’s update, security researcher Abdelhamid Naceri uncovered a bypass to the patch as well as a more potent new zero-day privilege escalation issue.
Naceri posted a successful proof-of-concept exploit for the new zero-day on GitHub yesterday, claiming it works on all supported Windows versions. While creating group policies to block ‘Standard’ users from executing MSI installation activities is possible, Naceri revealed that his zero-day exploit circumvents this policy and still works.
When Naceri’s ‘InstallerFileTakeOver’ exploit was tested, a test account with ‘Standard’ rights only took a few seconds to achieve SYSTEM privileges, as shown in the video below. The test was run on a fresh installation of Windows 10 21H1 build 19043.1348.
Microsoft will most likely resolve the issue in a future Patch Tuesday release, as is common with zero days. However, Naceri cautioned that attempting to remedy the vulnerability by patching the binaries will almost certainly damage the installation.
Due to the intricacy of this issue, the best remedy available at the time of writing is to wait for a security fix from Microsoft. Any effort to directly patch the binaries will fail the Windows installation.