IT Won’t Give You Admin? This Windows Installer Bug Can Fix That
The Patch, It Does Nothing
There once was a zero day exploit called CVE-2021-41379, which let a user gain elevated access to a system with a malformed MSI-type installer. The exploit allowed them to delete files they shouldn’t be able to, though thankfully not to edit them. Microsoft released a patch for the exploit in their latest batch of patches; the story does not end there however.
The security researcher who originally discovered this flaw, Abdelhamid Naceri, wanted to make sure that the patch worked as intended, and in his investigation discovered that not only was the patch ineffective, but that the exploit was actually worse than originally thought. Naceri posted two MSI files to GitHub which make use of the same attack, however in this case the exploit will actually grant a local user SYSTEM privileges, thus letting them inflict far more damage than simply deleting files they can access.
This affects fully patched Windows 10 and 11 systems, as well as Server versions up to 2022 and can even bypass group policy objects which would normally prevent a user from launching an MSI. If you are curious why this zero day was released to GitHub and not sent in confidence to Microsoft, it is because of the decisions Microsoft made last year regarding their bug bounty program. They vastly reduced the amount they would pay security researchers who spent time tracking down bugs, so that a discovery that takes every bit as much effort to discover might only pay 10% of what it used to.
To be clear, one does need to be logged into a Windows box to elevate one's privileges, and it looks like Edge also needs to be installed – which is hard to avoid in most modern Windows installations these days. All told, the proof of concept works depressingly well.
More Tech News From Around The Web
- A Third of All Dark Web Domains Are Now V3 Onion Sites @ Slashdot
- Judge: Dismissed Steam antitrust case didn’t include “sufficient facts” @ Ars Technica
- Qualcomm kinda spins out Snapdragon – as a brand, not a business @ The Register
- Watch NASA Crash a Spacecraft Into An Asteroid @ Slashdot
- You Can’t Upgrade Soldered-On Laptop RAM? Think Again @ Hackaday
- A bug introduced 6 months ago brought Google’s Cloud Load Balancer to its knees @ The Register
- E-MonoWheel @ Hackaday