Security researcher Abdelhamid Naceri discovered a Zero-Day vulnerability affecting all supported versions of Windows. The working proof of concept (POC) exploit for this vulnerability was published on GitHub.

To address this vulnerability, Microsoft had already released a patch to fix the security flaw during its monthly security update in November. Unfortunately, Microsoft failed to fix the issue properly. Instead, Naceri found a more powerful zero-day privilege elevation vulnerability after examining Microsoft’s fix.

CERT-PH has tested the exploit on Windows 10 (21H1 build 19043.1348) and 11 (Version 21H2 Build22000.318). Successful exploitation of the vulnerability could allow an account with standard privileges to have admin privileges shown in Figure B.

CERT-PH also tried testing the exploit with different antivirus installed on the host machine. The Behaviour Detection of the AV was able to detect and prevent the exploit from being executed. CERT-PH has yet to identify if other anti-virus software programs can detect and prevent the exploit.

______________________________

A. Nature of the Vulnerabilities

The nature of the vulnerability is described as:

CVE-2021-41379

An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation.

______________________________

B. Screenshot of Successful Exploitation

Figure B: Execution of the POC Exploit Code

______________________________

C. List of Vulnerable Systems

Vulnerable Windows OS:

• All Windows Operating System Supporting Windows Installation

______________________________

D. Actions to be Taken

CERT-PH recommends the following actions be taken:

• Administrators are urged to install and/or update antivirus software to its latest version to mitigate the threat.
• Having a good backup of the system before patching is a good practice, in case there are anomalies and issues encountered.
• For additional information, kindly refer to the following:
  • https://github.com/klinix5/InstallerFileTakeOver
  • https://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/

{CERT-PH_NCD2021_W3BS!7E}