IT Won’t Give You Admin? This Windows Installer Bug Can Fix That

Source: The Register IT Won’t Give You Admin?  This Windows Installer Bug Can Fix That

The Patch, It Does Nothing

There once was a zero day exploit called CVE-2021-41379, which let a user gain elevated access to a system with a malformed MSI-type installer.  The exploit allowed them to delete files they shouldn’t be able to, though thankfully not to edit them.  Microsoft released a patch for the exploit in their latest batch of patches; the story does not end there however.

The security researcher who originally discovered this flaw, Abdelhamid Naceri, wanted to make sure that the patch worked as intended, and in his investigation discovered that not only was the patch ineffective, but that the exploit was actually worse than originally thought.  Naceri posted two MSI files to GitHub which make use of the same attack, however in this case the exploit will actually grant a local user SYSTEM privileges, thus letting them inflict far more damage than simply deleting files they can access.

This affects fully patched Windows 10 and 11 systems, as well as Server versions up to 2022 and can even bypass group policy objects which would normally prevent a user from launching an MSI.   If you are curious why this zero day was released to GitHub and not sent in confidence to Microsoft, it is because of the decisions Microsoft made last year regarding their bug bounty program.  They vastly reduced the amount they would pay security researchers who spent time tracking down bugs, so that a discovery that takes every bit as much effort to discover might only pay 10% of what it used to.

To be clear, one does need to be logged into a Windows box to elevate one's privileges, and it looks like Edge also needs to be installed – which is hard to avoid in most modern Windows installations these days. All told, the proof of concept works depressingly well.

Video News

About The Author

Jeremy Hellstrom

Call it K7M.com, AMDMB.com, or PC Perspective, Jeremy has been hanging out and then working with the gang here for years. Apart from the front page you might find him on the BOINC Forums or possibly the Fraggin' Frogs if he has the time.

Leave a reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest Podcasts

Archive & Timeline

Previous 12 months
Explore: All The Years!