After patch fails, researcher publishes exploit for Windows EoP vulnerability (CVE-2021-41379)



A local elevation of privilege vulnerability (CVE-2021-41379) in Windows Installer that Microsoft corrected during the November 2021 Patch Tuesday is, according to its discoverer, still exploitable.

Moreover, it is already exploited by malware developers.

About the flaw and the exploit

Abdelhamid Naceri, who reported the flaw through Trend Micro Zero Day Initiative, analyzed the patch for CVE-2021-41379 and found that the bug was “not fixed properly”.

So he created and made available on GitHub a reliable proof of concept exploit (nicknamed “InstallerFileTakeOver”) which – others confirmed – works on fully patched applications. Windows 10, 11and Windows Server 2022.

Naceri says the PoC exploit overwrites Microsoft Edge Elevation Service’s Discretionary Access Control List (DACL), copies itself to the location of the service, and runs it to gain elevated privileges.

For the exploit to work, an attacker must already have access to the targeted Windows machine and Microsoft Edge must be installed there.

Risk mitigation

There is currently no official workaround to mitigate the risk posed by this vulnerability and its patch failure. Any attempt to patch the binary directly will damage Windows Installer, Naceri notes, so the best bet for users and administrators is to wait until Microsoft comes up with a new patch that (ideally) actually works.

Meanwhile, Jaeson Schultz, technical manager of Cisco Talos Intelligence Group, said he has already detected malware samples in the wild that attempt to take advantage of this vulnerability.

“Since the volume is low, it’s probably people working with the proof of concept code or testing for future campaigns. It’s just further proof of how quickly adversaries are working to arm a publicly available exploit, ”he told Bleeping Computer.

Until Microsoft provides a fix, organizations can use Cisco-provided Snort rules to detect attacks targeting CVE-2021-41379.



Comments are closed.