After failed fix, researcher releases exploit for Windows EoP flaw (CVE-2021-41379)

A local elevation of privilege vulnerability (CVE-2021-41379) in the Windows Installer that Microsoft supposedly fixed on November 2021 Patch Tuesday is, according to its discoverer, still exploitable.

CVE-2021-41379

What’s more, it is already being leveraged by malware developers.

About the flaw and the exploit

Abdelhamid Naceri, who reported the flaw through the Trend Micro Zero Day Initiative, has analyzed the patch for CVE-2021-41379 and found that the bug was “not fixed correctly.”

So he created and made available on GitHub a reliable proof-of-concept exploit (dubbed “InstallerFileTakeOver”) that – others have confirmed – works on fully patched Windows 10, 11, and Windows Server 2022.

Naceri says that the PoC exploit overwrites Microsoft Edge Elevation Service DACL (discretionary access control list) and copies itself to the service location and executes it to gain elevated privileges.

For the exploit to work, an attacker must already have access to the targeted Windows machine and Microsoft Edge must be installed on it.

Risk mitigation

There is currently no official workaround to mitigate the risk posed by this flaw and its failed patch. Any attempt to patch the binary directly will break Windows Installer, Naceri notes, so users’ and admins’ best bet is to wait for Microsoft to come up with a new patch that (ideally) actually works.

In the meantime, Jaeson Schultz, Technical Leader for Cisco Talos Intelligence Group, has shared that they’ve already detected malware samples in the wild that are attempting to take advantage of this vulnerability.

“Since the volume is low, this is likely people working with the proof of concept code or testing for future campaigns. This is just more evidence on how quickly adversaries work to weaponize a publicly available exploit,” he told Bleeping Computer.

Until Microsoft delivers a fix, enterprises can use the Snort rules provided by Cisco to detect attacks targeting CVE-2021-41379.

Don't miss