Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Microsoft Operating Systems Privacy Windows

New Windows Zero-Day With Public Exploit Lets You Become An Admin (bleepingcomputer.com) 57

A security researcher has publicly disclosed an exploit for a new Windows zero-day local privilege elevation vulnerability that gives admin privileges in Windows 10, Windows 11, and Windows Server. BleepingComputer reports: As part of the November 2021 Patch Tuesday, Microsoft fixed a 'Windows Installer Elevation of Privilege Vulnerability' vulnerability tracked as CVE-2021-41379. This vulnerability was discovered by security researcher Abdelhamid Naceri, who found a bypass to the patch and a more powerful new zero-day privilege elevation vulnerability after examining Microsoft's fix. Yesterday, Naceri published a working proof-of-concept exploit for the new zero-day on GitHub, explaining that it works on all supported versions of Windows.

"This variant was discovered during the analysis of CVE-2021-41379 patch. the bug was not fixed correctly, however, instead of dropping the bypass," explains Naceri in his writeup. "I have chosen to actually drop this variant as it is more powerful than the original one." Furthermore, Naceri explained that while it is possible to configure group policies to prevent 'Standard' users from performing MSI installer operations, his zero-day bypasses this policy and will work anyway. BleepingComputer tested Naceri's 'InstallerFileTakeOver' exploit, and it only took a few seconds to gain SYSTEM privileges from a test account with 'Standard' privileges, as demonstrated in [this video]. When BleepingComputer asked Naceri why he publicly disclosed the zero-day vulnerability, we were told he did it out of frustration over Microsoft's decreasing payouts in their bug bounty program.
A Microsoft spokesperson said in a statement: "We are aware of the disclosure and will do what is necessary to keep our customers safe and protected. An attacker using the methods described must already have access and the ability to run code on a target victim's machine."

Naceri recommends users wait for Microsoft to release a security patch, as attempting to patch the binary will likely break the installer.
This discussion has been archived. No new comments can be posted.

New Windows Zero-Day With Public Exploit Lets You Become An Admin

Comments Filter:
  • Non-story, really. (Score:1, Informative)

    by Anonymous Coward
    If someone has physical access to the machine to run this exploit, you've already been entirely compromised before the exploit ever runs.
    • by znrt ( 2424692 ) on Tuesday November 23, 2021 @08:30PM (#62015293)

      you don't need access to the machine, simply contaminate an installer file that the user is willing to trust. this is clear in the abstract even.

      ok, now you say "if someone manages to get arbitrary code to run on the machine ...." and that's true, but not the point here. the point is that ms' installer allows an escalation of privilege, which is a serious flaw regardless of actual threat level, the faux-fix making it just more embarrassing. however it turns out that hijacking trusted installers is not at all unheard of. there is an actual reason for software installers to be expected to adhere to os access control, and this f-up breaks just that.

      • One has seen this concept dozens of times over the decades. The root cause is sloppy edit checking and parsing in processes that are elevated and trusted. From email to 3rd party virus scanners down to humble ping and video card drivers. For sure, the problem is those who authored a very careless and sloppy fix. One speculates the back door was left open to accept low level firmware and microcode binaries, not X86 in nature. A second reason might be being to overcome a hostile APT threat that defends itself
    • by mendax ( 114116 )

      If you have access to the machine in many if not most cases you are already running as Administrator because most people run their machines in that configuration. It seems to be the default configuration in the installer, at least from my experience.

      • Some of that depends on what environment you are in (home vs enterprise) and what the installer is trying to do. It a home environment, many people are still running with an account that has admin privileges. In an enterprise environment, this is rarely the case.

        Also, some software will check if you want to install the software for all users or just the current user. Software can be installed in the profile area for just the current user without needing admin privileges. If you want to install the softw

  • Zero day (Score:4, Insightful)

    by phantomfive ( 622387 ) on Tuesday November 23, 2021 @07:57PM (#62015225) Journal

    Yesterday, Naceri published a working proof-of-concept exploit for the new zero-day on GitHub

    Sounds like it's a one-day then.

  • by PPH ( 736903 ) on Tuesday November 23, 2021 @08:11PM (#62015249)

    An attacker using the methods described must already have access and the ability to run code on a target victim's machine.

    ... the attacker and the victim are one and the same. Circumventing company standard configurations or installing unapproved software are two reasons some employees have used to gain admin control of their work systems.

    • I would have to fire you for that. IT inventory systems would notice what you did, the records would not be on your side.

      • by PPH ( 736903 )

        I would have to fire you for that.

        Are you the CEO? If not, are you more important to the operation of the company than the person fiddling with their system?

        • You produced the record of the event that put the company at risk and that is on you alone.

      • Absolutely! Youâ(TM)re not so important that you get to put the entire company at risk.
  • asshole (Score:1, Troll)

    by awwshit ( 6214476 )

    What an asshole. You think you are poking at Microsoft but really you create headaches for so many. Releasing this right before a major holiday and long weekend is an invitation for ransomware. Fuck you, Naceri.

    • by znrt ( 2424692 )

      so you guys now have to actually do the job you're paid for? unbelievable ...

      • I'm not sure which 'you guys' you are referring to. I suppose the victims of ransomware have jobs that do not entirely revolve around cleaning up messes on holiday weekends, working around the clock on restores and imaging. Its not my fault assholes release code that other assholes can stack together to do bad things, when its easy to be more responsible.

        • Its not my fault assholes release code that other assholes can stack together to do bad things,

          They call it Windows. And the bad thing you do with Windows is depending on it for your business.

          when its easy to be more responsible.

          And run Linux, yeah.

    • Comment removed based on user account deletion
      • And now any asshole can use it, and stack it together with other things like it. Asshole could have just been more responsible. What happened wanted a bounty he didn't get?

        • by witz2 ( 8211674 )
          Microsoft should pay better. That is what happens when ppl do not pay. Now admins will "enjoy" holidays hoping their entire domains are not encrypted upon return to office.
    • Microsoft created a headache for so many. Don't blame the wrong person.

      • https://www.law.cornell.edu/we... [cornell.edu]

        Try to appreciate the difference between acting purposefully and acting negligently. Microsoft did not act with malice while Naceri did.

        There is a big gap between an unknown issue and an easily acquired free tool.

        If you live in the US I'd bet you have regular lock on your front door, something like a Schlage or a Kwikset. Well there are a limited number of possible keys for those locks, fewer than the number of locks that are sold - meaning someone else has a key to your h

        • Nah. As far as I'm concerned, if you use Microsoft in a place where security matters, you are negligent. You know the door is open, inviting anyone in.

  • A zero day means you have zero days to path it because itâ(TM)s being used. A researcher finding an exploit and reporting it privately is a 90 day at least.
    • Being used is not a requisite, once you find out about an exploit and until it gets patched it's a zero-day exploit.
      • No, a zero day is an exploit that is being used the vendor doesnâ(TM)t know about.
        • by witz2 ( 8211674 )
          A zero day is an exploit that is being used. And the vendor has not patched.
          • A zero-day (also known as 0-day) is a computer-software vulnerability either unknown to those who should be interested in its mitigation (including the vendor of the target software) or known and a patch has not been developed. Until the vulnerability is mitigated, hackers can exploit it to adversely affect programs, data, additional computers or a network.

            Notice the use of the word "can" and not "must" there.

    • He only warned Microsoft for the previous bug, this one he used as an implied threat go increase their bug bounties or he would release more bugs as zero days. Or in other words he's a black hat blackmailer now, not a security researcher. His choice.

Ocean: A body of water occupying about two-thirds of a world made for man -- who has no gills. -- Ambrose Bierce

Working...