According to Cisco Talos, abusing the flaw would allow an attacker with limited access to get higher privileges and become an administrator.
A Windows Installer security vulnerability, tracked as CVE-2021-41379, was patched by Microsoft, but according to a report from Cisco Talos, hackers already had created malware to exploit this privilege escalation flaw identified in the enterprise application deployment of the Windows Installer.
The vulnerability had a severity score of 5.5 out of 10. For your information, MS Windows Installer performs several crucial functions like installing/updating/uninstalling software.
About MS Windows Installer Vulnerability
Security researcher Abdelhamid Naceri originally discovered the vulnerability. According to Naceri, the exploit was already present to let an attacker obtain higher-level access to specific system files. However, they won’t obtain the privileges required to view or modify their contents.
How it is Exploited
According to Cisco Talos, abusing the flaw would allow an attacker with limited access to get higher privileges and become an administrator. Every version of MS Windows is impacted by this flaw, including the fully patched Server 2002 and Windows 11. Researchers also detected malware samples in the wild, exploiting this vulnerability.
Did Patch Worsen the Situation?
In his post on GitHub, Naceri insisted that patching the vulnerability intensified the issue as he noted that the bug wasn’t correctly fixed and a more powerful exploit was also available.
Windows installer LPE 0dayhttps://t.co/eiXBWnuDuH
— Abdelhamid Naceri (@KLINIX5) November 22, 2021
Furthermore, the researcher posted a PoC (proof-of-concept) on November 22, demonstrating how the exploitation occurs by overwriting MS Edge’s elevation service Discretionary Access Control List (DACL). It gets copied to the service location and executed to get SYSTEM level privileges.
“For your notes, this works in every supporting windows installation, including Windows 11 & Server 2022 with November 2021 patch. This variant was discovered during the analysis of the CVE-2021-41379 patch. the bug was not fixed correctly, however, instead of dropping the bypass. I have chosen to actually drop this variant as it is more powerful than the original one, ”Naceri wrote.
It is worth noting that Microsoft patched the vulnerability in collaboration with Naceri, and it was released on November 9.
