News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • New Windows zero-day with public exploit lets you become an admin

    Home » Forums » Code Red – Security/Privacy advisories » New Windows zero-day with public exploit lets you become an admin

    • This topic has 7 replies, 3 voices, and was last updated 1 week ago.
    Author
    Topic
    #2403055

    https://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/

    A security researcher has publicly disclosed an exploit for a new Windows zero-day local privilege elevation vulnerability that gives admin privileges in Windows 10, Windows 11, and Windows Server.

    BleepingComputer has tested the exploit and used it to open to command prompt with SYSTEM privileges from an account with only low-level ‘Standard’ privileges.

    Using this vulnerability, threat actors with limited access to a compromised device can easily elevate their privileges to help spread laterally within the network.

    The vulnerability affects all supported versions of Windows, including Windows 10, Windows 11, and Windows Server 2022….

    Researcher releases bypass to patched vulnerability
    As part of the November 2021 Patch Tuesday, Microsoft fixed a ‘Windows Installer Elevation of Privilege Vulnerability’ vulnerability tracked as CVE-2021-41379.

    This vulnerability was discovered by security researcher Abdelhamid Naceri, who found a bypass to the patch and a more powerful new zero-day privilege elevation vulnerability after examining Microsoft’s fix.

    Yesterday, Naceri published a working proof-of-concept exploit for the new zero-day on GitHub, explaining that it works on all supported versions of Windows.

    “This variant was discovered during the analysis of CVE-2021-41379 patch. the bug was not fixed correctly, however, instead of dropping the bypass,” explains Naceri in his writeup. “I have chosen to actually drop this variant as it is more powerful than the original one.”

    Furthermore, Naceri explained that while it is possible to configure group policies to prevent ‘Standard’ users from performing MSI installer operations, his zero-day bypasses this policy and will work anyway.

    5 users thanked author for this post.
    Viewing 6 reply threads
    Author
    Replies
    • #2403068

      while it is possible to configure group policies to prevent ‘Standard’ users from performing MSI installer operations, his zero-day bypasses this policy and will work anyway

      Will it ever stop?

      ~
    • #2403069

      Will it ever stop?

      No.
      Hacker will now rejoice after publishing the zero-day bug in open.

    • #2403752

      I never considered what I though by observation was a performance “default” was both not a default, and a security not a performance decision..

      https://www.bleepingcomputer.com/news/security/new-windows-10-zero-day-gives-admin-rights-gets-unofficial-patch/

      Anyone seen system restore on with a flat Windows 10 install? or is it a flaw in the localised installation media?..

    • #2403754

      I guess I should have known, the bulk machines I worked on all had SSDs which were too small to exploit that issue!

    • #2403756

      Anyone seen system restore on with a flat Windows 10 install?

      System Restore is off by default.
      Microsoft even doesn’t create a system restore point with monthly CUs or Feature updates.

    • #2403764

      That was what I thought, and had observed so often, but at the link in the article, ending at

      https://docs.microsoft.com/en-US/troubleshoot/windows-client/deployment/system-restore-points-disabled

      we are told

      ” This behavior is by design.” …” if the disk size is less than 128 GB, no restore point is created until System Restore is manually enabled.”

      I’m assuming MS are talking gigabyte and the suppliers of the drive we used were saying in in small print when they put 128Gb they meant 128 gibibyte so technically it was going to happen..

      Or are you with me as in you’ve never seen it active even when it should be as I reloaded a LTSC for a client of a local OEM/reseller for some years and I’ve never seen it, and not all were long runs or workstation spec..

      Still I guess the good news is that zero day is unlikely to be a lot of good on a lot of systems.

    • #2403767

      Or are you with me as in you’ve never seen it active even when it should be

      I manually create a system restore point once per week.
      Sometimes Microsoft delete that restore point and replaces it (not adding) with its own. My C drive is a 256GB SSD with ~150GB+ of free space.

      Windows 10 Pro 21H2.

    Viewing 6 reply threads
    Reply To: New Windows zero-day with public exploit lets you become an admin

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.