Attackers are trying to exploit a new variant of a recently publicized privilege escalation vulnerability. The aim is to potentially execute imperious code on fully-patched systems in order to demonstrate how adversaries move quickly to weaponize a publicly available exploit.
Cisco Talos revealed that it “detected malware samples in the wild that are attempting to take advantage of this vulnerability.”
Abdelhamid Naceri, who is a security researcher, tracked and discovered the thread called CVE-2021-41379. The elevation of privilege flaw affecting the Windows Installer software component was actually resolved as part of Microsoft’s Patch Tuesday updates for November 2021.
Naceri, however, found that it was not only possible to bypass the fix implemented by Microsoft, but also achieve local privilege escalation via a newly discovered zero-day bug.
The proof-of-concept (POC) exploit, dubbed “InstallerFileTakeOver,” works by overwriting the discretionary access control list (DACL) for Microsoft Edge Elevation Service in order to replace any executable file on the system with an MSI installer file which allows the attacker to run code with SYSTEM privileges.
So, what can the attacker cause to the system? Well, an attacker is given admin privileges, they could then abuse the access to gather full control over the system. He can download additional software, modify, delete or even delete sensitive information stored in the machine. Kevin Beaumont who is a security researcher tweeted:
“Can confirm this works, local priv esc. Tested on Windows 10 20H2 and Windows 11. The prior patch MS issued didn’t fix the issue properly.”
In Neceri’s opinion, the best course if action is now waiting for Microsoft to release a security patch for the problem as the latest variant of CVE-2021-41379 is “more powerful than the original one.” However, we still don’t know when Microsoft will act on the public disclosure and release a fix.