Flash Notice - Windows Zero-Day 'InstallerFileTakeOver' Vulnerability Allows Unauthorized Users to Become an Admin

Overview

During Patch Tuesday of November 2021, Microsoft fixed a zero-day Windows vulnerability (CVE-2021-41379) that allows unauthorized users to become an administrator. However, the patch was bypassed by security researcher, Abdelhamid Naceri, and led to a new privilege elevation vulnerability in Windows 10, Windows 11, and in Windows Server 2022. The new variant is named ‘InstallerFileTakeOver’.  

Cyber security analysts at BleepingComputer tested the exploit and used it to open to command prompt with SYSTEM privileges from an account with low-level ‘Standard’ privileges in mere seconds. They discovered that the vulnerability allows threat actors with limited access to compromise devices, to easily elevate their privileges and help move laterally within the network. BleepingComputer’s test was performed on an up-to-date Windows 10 21H1 build, 19043.1348 install.  

Naceri stated that Microsoft didn’t patch the original vulnerability correctly, and while it’s possible to configure group policies to prevent ‘Standard’ users from exploiting the bug, ‘InstallerFileTakeOver’ bypasses the policy and will work regardless. When Naceri was asked why he decided to publish the exploit, he said that he was frustrated over Microsoft’s decreasing payouts in their bug bounty program.  

Microsoft has not issued a statement regarding ‘InstallerFileTakeOver’ or Naceri’s comments about their bug bounty program, but it is expected that they will fix the vulnerability in a future Patch Tuesday update. However, Naceri warned that trying to fix the vulnerability by patching the binary directly, will more than likely break the installer.  

Because of the vulnerability’s complexity, Naceri advised that the best workaround for ‘InstallerFileTakeOver’ is to wait until Microsoft releases a security patch. However, Avertium’s analysts have discovered that the exploit doesn’t work unless Microsoft Edge is installed on a device. Additionally, during testing, Avertium found that the exploit was blocked by Microsoft Defender.  

How Avertium is Protecting Our Clients

At this time, there are no known patches or workarounds for ‘InstallerFileTakeOver’. However, please know that Avertium’s threat hunters remain vigilant in securing your environment. Should we have more information regarding this vulnerability, we will provide you with an update as soon as possible. For more information on how Avertium can help protect your organization, reach out to your Avertium sales representative.  

• Avertium has verified that the proof-of-concept exploit is detected by our managed EDR tools including SentinelOne, Sophos, and Microsoft Defender for Endpoint. 
• Avertium’s threat hunters are equipped with threat hunting queries to detect the POC exploit file as well as evidence that the exploit has been executed. 

avertium's recommendations for CVE-2021-41379

• Keep Microsoft Defender installed on your computer, as it blocks the exploit.  
• Because the exploit only works if Microsoft Edge is installed, it’s best that you do not install it at this time if you don’t have it installed on your computer. 
  

sigma rules

title: Possible InstallerFileTakeOver LPE CVE-2021-41379  

id: af8bbce4-f751-46b4-8d91-82a33a736f61 

status: experimental 

description: Detects signs of the exploitation of LPE CVE-2021-41379 to spawn a cmd.exe with LOCAL_SYSTEM rights 

author: Florian Roth 

date: 2021/11/22 

references: 

    - https://github.com/klinix5/InstallerFileTakeOver 

    - https://www.zerodayinitiative.com/advisories/ZDI-21-1308/ 

tags: 

    - attack.privilege_escalation 

    - attack.t1068 

logsource: 

    category: process_creation 

    product: windows 

detection: 

    selection: 

        Image|endswith: '\cmd.exe' 

        ParentImage|endswith: '\elevation_service.exe' 

        IntegrityLevel: 'System' 

    condition: selection 

falsepositives: 

    - Unknown 

level: critical 

title: InstallerFileTakeOver LPE CVE-2021-41379 File Create Event 

id: 3be82d5d-09fe-4d6a-a275-0d40d234d324 

status: experimental 

description: Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file 

author: Florian Roth 

date: 2021/11/22 

references: 

    - https://github.com/klinix5/InstallerFileTakeOver 

    - https://www.zerodayinitiative.com/advisories/ZDI-21-1308/ 

tags: 

    - attack.privilege_escalation 

    - attack.t1068 

logsource: 

    category: file_event 

    product: windows 

detection: 

    selection: 

        Image|endswith: '\msiexec.exe' 

        TargetFilename|startswith: 'C:\Program Files (x86)\Microsoft\Edge\Application' 

        TargetFilename|endswith: '\elevation_service.exe' 

    condition: selection 

fields: 

    - ComputerName 

    - TargetFilename 

falsepositives: 

    - Unknown 

    - Possibly some Microsoft Edge upgrades 

level: critical 

avertium's recommendations 

9e4763ddb6ac4377217c382cf6e61221efca0b0254074a3746ee03d3d421dabd 

a1c3d316111dc911fd445d47e10206f1d134fa96a0b8fa13088d1b968b18e6b2  

hxxps://github.com/klinix5/InstallerFileTakeOver/raw/main/InstallerFileTakeOver/Release/InstallerFileTakeOver.exe 

References

Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'InstallerFileTakeOver.exe' (hybrid-analysis.com) 

New Windows zero-day with public exploit lets you become an admin (bleepingcomputer.com) 

This dangerous Windows zero-day lets you instantly become an admin | TechRadar 

GitHub - klinix5/InstallerFileTakeOver 

download our free ebook to learn how to create a business-first incident response plan