Windows Installer Vulnerability Risk Advisory
DL25 Security noticed that the Windows Installer Privilege Escalation Vulnerability Exp was publicized on the Internet. This vulnerability is a bypass of the Microsoft Windows Installer (CVE-2021-41379) vulnerability repair patch. This vulnerability has no patch and is in a 0-day status. DL25 security experts have verified that the 0-day vulnerability EXP (exploitation code) disclosed on the Internet is available, which means that the network black production will not be far away.
The vulnerability was discovered by security researcher Abdelhamid Naceri, who discovered a bypass patch and a more powerful new 0day elevation of privilege vulnerability after checking Microsoft's fixes. Naceri published the POC/EXP of the new 0-day exploit on GitHub, explaining that it works on all supported Windows versions.
"This variant was discovered during the analysis of the CVE-2021-41379 patch. The bug was not properly fixed, rather than giving up the bypass," Naceri explained in his article. While Group Policy can be configured to prevent "standard" users from performing MSI installer actions, his 0day can bypass this policy and will work anyway.
The exploit works by overriding the Microsoft Edge Elevation Service (elevation_service.exe) DACL, copies itself to elevation_service.exe and executes to gain elevated privileges. DL25 security experts verified the public exploit program and confirmed that the system privilege can indeed be obtained, and the server system without edge installation is not affected by the original exploit.
Some foreign security researchers claim that malicious samples exploiting this vulnerability have been found in the wild. For Microsoft to fix the vulnerability, the regular time will be Patch Tuesday in December, and there is still a two-week gap. It is currently unclear whether Microsoft will release the patch in advance.
Vulnerability number: none
Vulnerability level: high risk, you can escalate local privileges to obtain system privileges
Versions Affected: The vulnerability affects all supported versions of Windows, including Windows 10, Windows 11, and Windows Server 2022
Vulnerability repair plan: The vulnerability is still in the 0-day state, there is no official patch to fix it, and malicious samples have been detected. DL25 security experts recommend that Windows users should be careful to handle unknown files or documents of unknown origin in the near future to avoid accidentally clicking on risky files and being recruited.
Mitigation solution: Turn off the MicrosoftEdgeElevationService service to mitigate the risk.
Operation steps: Win+Q shortcut key, enter "service" in the search box, then run with administrator privileges, in the service list, find "MicrosoftEdgeElevationService service", and change the startup type to "disabled".