An unofficial patch is available for a zero-day vulnerability that is actively exploited in the wild to gain administrator privileges.
Proof-of-concept (PoC) exploit code that works out of the box has been published for this issue, which is referred to as the “InstallerFileTakeOver” bug.
The vulnerability affects all Windows versions, including Windows 11 and Windows Server 2022, and it can be exploited by attackers with limited local accounts to escalate privileges and run code with admin rights.
Unpatched bug in Windows Installer
Abdelhamid Naceri, the researcher who created the Poc, found the issue when analyzing the patch for another privilege escalation bug that he reported to Microsoft, currently tracked as CVE-2021-41379.
He discovered that Microsoft’s fix was incomplete, leaving room for exploitation to run code with administrator privileges. Naceri also noted that the new variant, which has not yet received a CVE identifier, “is more powerful than the original one.”
Mitja Kolsek, the co-founder of the 0patch service that delivers hotfixes that don’t require system reboots, explains that the issue stems from the way Windows installer creates a Rollback File (.RBF) that allows restoring the data deleted or modified during the installation process.
At one point, Windows changes the location of the RBF file from “Config.msi“ to the temporary folder and modifies its permissions to allow user write access.
“Abdelhamid noticed that a symbolic link can be created in place of the incoming RBF file, which will result in moving the RBF file from C:\Windows\Installer\Config.msi to some other user-chosen file on the system. Since Windows Installer is running as Local System, any file writable by Local System can be overwritten and made writable by the local user” – Kolsek says in a blog post last week.
The code from 0Patch checks that there are no junctions or links in the destination path of the RBF file; otherwise, it blocks the moving of the file to eliminate the risk of exploitation.
The micropatch is free and it works on Windows 7 ESU, Windows 10, Server 2008 ESU/2012/2016/2019. A video published earlier this month shows it in action.
To note, the 0Patch correcting code is a temporary solution aimed at keeping systems safe until Microsoft releases a permanent patch for the issue, which has yet to happen.
Talking to BleepingComputer, Naceri said that he released the proof-of-concept (PoC) exploit for this unsolved issue without informing Microsoft of his findings.
Taking this approach was influenced by his previous experience with reporting the CVE-2021-41379 and other vulnerabilities to Microsoft, for which the researcher believes deserved more than just a “thank you” from the company.
Until Microsoft rolls out a fix for this problem, threat actors have a new method to increase their privileges on a compromised Windows computer and they are not wasting any time.
A threat advisory from Cisco Talos last month warned that adversaries are using malware samples that try to leverage the new vulnerability discovered by Naceri.
“The code Naceri released leverages the discretionary access control list (DACL) for Microsoft Edge Elevation Service to replace any executable file on the system with an MSI file, allowing an attacker to run code as an administrator” – Cisco Talos
For now, the best defense users have is to run the 0Patch temporary fix, which is applied on the fly and does not require restarting the machine.