New Windows Zero-Day With Public Exploit Lets You Become An Admin (bleepingcomputer.com) 57
A security researcher has publicly disclosed an exploit for a new Windows zero-day local privilege elevation vulnerability that gives admin privileges in Windows 10, Windows 11, and Windows Server. BleepingComputer reports: As part of the November 2021 Patch Tuesday, Microsoft fixed a 'Windows Installer Elevation of Privilege Vulnerability' vulnerability tracked as CVE-2021-41379. This vulnerability was discovered by security researcher Abdelhamid Naceri, who found a bypass to the patch and a more powerful new zero-day privilege elevation vulnerability after examining Microsoft's fix. Yesterday, Naceri published a working proof-of-concept exploit for the new zero-day on GitHub, explaining that it works on all supported versions of Windows.
"This variant was discovered during the analysis of CVE-2021-41379 patch. the bug was not fixed correctly, however, instead of dropping the bypass," explains Naceri in his writeup. "I have chosen to actually drop this variant as it is more powerful than the original one." Furthermore, Naceri explained that while it is possible to configure group policies to prevent 'Standard' users from performing MSI installer operations, his zero-day bypasses this policy and will work anyway. BleepingComputer tested Naceri's 'InstallerFileTakeOver' exploit, and it only took a few seconds to gain SYSTEM privileges from a test account with 'Standard' privileges, as demonstrated in [this video]. When BleepingComputer asked Naceri why he publicly disclosed the zero-day vulnerability, we were told he did it out of frustration over Microsoft's decreasing payouts in their bug bounty program. A Microsoft spokesperson said in a statement: "We are aware of the disclosure and will do what is necessary to keep our customers safe and protected. An attacker using the methods described must already have access and the ability to run code on a target victim's machine."
Naceri recommends users wait for Microsoft to release a security patch, as attempting to patch the binary will likely break the installer.
"This variant was discovered during the analysis of CVE-2021-41379 patch. the bug was not fixed correctly, however, instead of dropping the bypass," explains Naceri in his writeup. "I have chosen to actually drop this variant as it is more powerful than the original one." Furthermore, Naceri explained that while it is possible to configure group policies to prevent 'Standard' users from performing MSI installer operations, his zero-day bypasses this policy and will work anyway. BleepingComputer tested Naceri's 'InstallerFileTakeOver' exploit, and it only took a few seconds to gain SYSTEM privileges from a test account with 'Standard' privileges, as demonstrated in [this video]. When BleepingComputer asked Naceri why he publicly disclosed the zero-day vulnerability, we were told he did it out of frustration over Microsoft's decreasing payouts in their bug bounty program. A Microsoft spokesperson said in a statement: "We are aware of the disclosure and will do what is necessary to keep our customers safe and protected. An attacker using the methods described must already have access and the ability to run code on a target victim's machine."
Naceri recommends users wait for Microsoft to release a security patch, as attempting to patch the binary will likely break the installer.
Non-story, really. (Score:1, Informative)
Re:Non-story, really. (Score:5, Insightful)
you don't need access to the machine, simply contaminate an installer file that the user is willing to trust. this is clear in the abstract even.
ok, now you say "if someone manages to get arbitrary code to run on the machine ...." and that's true, but not the point here. the point is that ms' installer allows an escalation of privilege, which is a serious flaw regardless of actual threat level, the faux-fix making it just more embarrassing. however it turns out that hijacking trusted installers is not at all unheard of. there is an actual reason for software installers to be expected to adhere to os access control, and this f-up breaks just that.
Re: (Score:2)
Re: (Score:2)
If you have access to the machine in many if not most cases you are already running as Administrator because most people run their machines in that configuration. It seems to be the default configuration in the installer, at least from my experience.
Re: (Score:3)
Some of that depends on what environment you are in (home vs enterprise) and what the installer is trying to do. It a home environment, many people are still running with an account that has admin privileges. In an enterprise environment, this is rarely the case.
Also, some software will check if you want to install the software for all users or just the current user. Software can be installed in the profile area for just the current user without needing admin privileges. If you want to install the softw
Zero day (Score:4, Insightful)
Yesterday, Naceri published a working proof-of-concept exploit for the new zero-day on GitHub
Sounds like it's a one-day then.
Re: Zero day (Score:2)
No, it's zero day until Microsoft issues a patch.
Re: (Score:2)
Re: (Score:2)
Re: Zero day (Score:2)
No, the original definition meant either the day of or the day before a software release. It started in the warez scene, who also used it when referring to exploits.
Re: (Score:2)
Sometimes ... (Score:3)
An attacker using the methods described must already have access and the ability to run code on a target victim's machine.
Re: (Score:2)
I would have to fire you for that. IT inventory systems would notice what you did, the records would not be on your side.
Re: (Score:2)
I would have to fire you for that.
Are you the CEO? If not, are you more important to the operation of the company than the person fiddling with their system?
Re: (Score:2)
You produced the record of the event that put the company at risk and that is on you alone.
Re: (Score:2)
If someone has the ability to terminate your employment
I really wish that were true. I've seen so many people from executives to cowboy coders that insist they have to have some utility, app or development suite. And they simply can't do their jobs without admin permissions on their systems. And the IT department does nothing.
If somebody does not have the ability to terminate their employment, they would be better off not drawing attention to that fact.
Re: Sometimes ... (Score:2)
Re: (Score:1)
If you're like 3/4 of developers out there, you're not competent to assure the security of your machine. A hell of a lot of developers end up doing stupid shit that can lead to compromise because they don't have a real grasp on computer security. Maybe you're one of the competent devs who understands security, but at least recognize that most of your peers do not.
Re: (Score:2)
Before anyone logs into our computers, they acknowledge they have read the policies about computer use. I don't care how "gifted" you think you are, if you go rogue and install a completely different OS and configure an unsecured VM with unknown licensing and security settings, you're out the door before you get your first pay check.
We hope our hiring process catches people with your attitude before they are brought back for their second interview.
--
Re: (Score:2)
If you're a developer and your company doesn't trust you with your own sandboxed system(s) and network(s), you're either in a shit company or you're a shit developer that the company has learned can't be trusted. No developer is 100% secure during the development process, but the good ones know how to keep their work separated from the main business network until it's been beaten up and down through the QC and security processes it needs to pass.
I wish more businesses understood that. I've worked for too
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
However, that does not make that researcher any less of a threat to the public nor diminish the harm they cause by distributing out a new unknown exploit at day zero.
the researcher is no threat, the bug is. and the bug is direct and only responsibility of ms ... who apparently didn't want to pay for the knowledge, so it seems ms are the first not giving a fsck about "public harm".
so a company writes sloppy systems and offloads the responsibility of preventing harm to the public to a community of researchers and then isn't even willing to pay them reasonably when they catch such a f-up, and you actually blame the researcher who speaks out?
Re: (Score:3)
this is shooting the messenger. and btw being obtuse and despicable. obtuse because a public proof of concept is always better than an undisclosed exploit in the wild, no matter how "supremely" irresponsible some person without a clue about software security thinks it is. despicable if that same person wants to punish the messenger while giving a pass to those who put that "supreme irresponsibility" in circulation. tl;dr: you are either stupid, or have a mean agenda, or both.
Re: This shows more laws are needed (Score:2)
This is shooting the messenger who causes panic in a crowd killing people when an orderly evacuation would still be easily possible.
Some messengers deserve to be shot.
Re: (Score:2)
the researcher is no threat, the bug is. and the bug is direct and only responsibility of ms
No, the bug is a threat, BUT the irresponsible releaser is also a threat and bad actor who causes systems to be compromised by providing knowledge to bad actors of the existence of the bugs which take major substantial work in order to find exists, Therefore doing the other malicious users' work for them, And there exists a way to publish the research without causing this through full disclosure in advance to the
Re: (Score:2)
who apparently didn't want to pay for the knowledge
'Security researcher' has now become 'blackmailer'. Pay up or else I release it to the public before you can fix it. Some 'researcher', huh? I guess 'security researcher' today simply means 'security opportunist' since they are in no way a 'security professional.'
Re: (Score:2)
When they speak out irresponsibly, yes.
Re: (Score:1)
Re: (Score:3)
Your way just prolongs existing known vulnerabilities by criminal hackers that get discovered by security researchers to be able to squeeze out an extra few months
The situation here of researchers releasing widely with no pre-reporting to the Vendor and authorities is a Bad precedent... It is NOT good to have people implying: Pay us a nice bounty, otherwise we will ship exploits for your OS immediately, instead of reporting in advance. It's really no different than the ransomware concept "We got yo
Re: (Score:2)
That would be about the most stupid thing possible. Not that I expect you to understand that.
asshole (Score:1, Troll)
What an asshole. You think you are poking at Microsoft but really you create headaches for so many. Releasing this right before a major holiday and long weekend is an invitation for ransomware. Fuck you, Naceri.
Re: (Score:3)
so you guys now have to actually do the job you're paid for? unbelievable ...
Re: (Score:2)
I'm not sure which 'you guys' you are referring to. I suppose the victims of ransomware have jobs that do not entirely revolve around cleaning up messes on holiday weekends, working around the clock on restores and imaging. Its not my fault assholes release code that other assholes can stack together to do bad things, when its easy to be more responsible.
Re: (Score:2)
Its not my fault assholes release code that other assholes can stack together to do bad things,
They call it Windows. And the bad thing you do with Windows is depending on it for your business.
when its easy to be more responsible.
And run Linux, yeah.
Re: (Score:2)
I had a look over your posting history and it's a bunch of worthless one-liners with zero content. Your hypocrisy has been noted.
Re: (Score:1)
Re: (Score:2)
And now any asshole can use it, and stack it together with other things like it. Asshole could have just been more responsible. What happened wanted a bounty he didn't get?
Re: (Score:1)
Re: (Score:2)
Microsoft created a headache for so many. Don't blame the wrong person.
Re: (Score:2)
https://www.law.cornell.edu/we... [cornell.edu]
Try to appreciate the difference between acting purposefully and acting negligently. Microsoft did not act with malice while Naceri did.
There is a big gap between an unknown issue and an easily acquired free tool.
If you live in the US I'd bet you have regular lock on your front door, something like a Schlage or a Kwikset. Well there are a limited number of possible keys for those locks, fewer than the number of locks that are sold - meaning someone else has a key to your h
Re: (Score:2)
Nah. As far as I'm concerned, if you use Microsoft in a place where security matters, you are negligent. You know the door is open, inviting anyone in.
Not zero day (Score:2)
Re: (Score:2)
Re: Not zero day (Score:2)
Re: (Score:1)
Re: (Score:2)
A zero-day (also known as 0-day) is a computer-software vulnerability either unknown to those who should be interested in its mitigation (including the vendor of the target software) or known and a patch has not been developed. Until the vulnerability is mitigated, hackers can exploit it to adversely affect programs, data, additional computers or a network.
Notice the use of the word "can" and not "must" there.
Re: Not zero day (Score:2)
He only warned Microsoft for the previous bug, this one he used as an implied threat go increase their bug bounties or he would release more bugs as zero days. Or in other words he's a black hat blackmailer now, not a security researcher. His choice.