A security researcher has publicly disclosed an exploit for a new Windows zero-day local privilege elevation vulnerability that gives admin privileges in Windows 10, Windows 11, and Windows Server.
The exploit has been tested and used it to open to command prompt with SYSTEM privileges from an account with only low-level ‘Standard’ privileges. Threat actors with limited access to a compromised device can easily elevate their privileges to help spread laterally within the network.
During November 2021 Patch Tuesday, Microsoft fixed a ‘Windows Installer Elevation of Privilege Vulnerability’ vulnerability tracked as CVE-2021-41379, affects all supported versions of Windows, including Windows 10, Windows 11, and Windows Server 2022
This vulnerability was discovered by security researcher Abdelhamid Naceri, who found a bypass to the patch and a more powerful new zero-day privilege elevation vulnerability after examining Microsoft’s fix.
This variant was discovered during the analysis of CVE-2021-41379 patch. The bug was not fixed correctly, instead of dropping the bypass, have chosen to actually drop this variant as it is more powerful than the original one.
Due to lower bug bounty reward the researcher publicly disclosed the zero-day vulnerability, Microsoft bounties has been trashed since April 2020, As is typical with zero days, Microsoft will likely fix the vulnerability in a future Patch Tuesday update.
Researcher has warned that it is not advised to try and fix the vulnerability by attempting to patch the binary as it will likely break the installer. Any attempt to patch the binary directly will break windows installer. The best workaround available at the time of writing this is to wait Microsoft to release a security patch, due to the complexity of this vulnerability.