Cybersecurity researchers have publicly disclosed an exploit for a new Windows zero-day local privilege elevation vulnerability that gives admin privileges in Windows 10, Windows 11, and Windows Server releases.
Exploiting this bug, threat actors with access to a limited Standard user account on a vulnerable Windows installation can elevate to SYSTEM user privileges, and then move laterally within the network.
Abdelhamid Naceri working with Trend Micro’s Zero Day Initiative had originally discovered the vulnerability, which Microsoft had fixed as part of the November 2021 Patch Tuesday. However, examination of Microsoft’s patch led Naceri to discover a bypass that led to the more powerful new privilege elevation vulnerability.
Powerful PoC
Naceri has published a working proof-of-concept (PoC) exploit for the new zero-day, saying that it works on all supported versions of Windows.
“This variant was discovered during the analysis of CVE-2021-41379 patch. the bug was not fixed correctly, however, instead of dropping the bypass. I have chosen to actually drop this variant as it is more powerful than the original one,” wrote Naceri.
Naceri claims that his PoC is “extremely reliable,” and he’s tested it in multiple conditions and Windows variants and found that it works in every attempt. Furthermore, he explains that the PoC even works in Windows server installation as well, which by default doesn't allow standard users to perform MSI installer operations.
“The best workaround available at the time of writing this is to wait [for] Microsoft to release a security patch, due to the complexity of this vulnerability. Any attempt to patch the binary directly will break [the] windows installer,” suggests Naceri.
Protect your computers with the help of the best endpoint protection tools and use these best security keys to add another layer to safeguard your accounts
