All Windows versions impacted by new Local Privilege Escalation (LPE) zero-day vulnerability

guest · Oct 28, 2021

All Windows versions impacted by new LPE zero-day vulnerability
October 28, 2021
https://www.bleepingcomputer.com/ne...s-impacted-by-new-lpe-zero-day-vulnerability/

A security researcher has disclosed technical details for a Windows zero-day privilege elevation vulnerability and a public proof-of-concept (PoC) exploit that gives SYSTEM privileges under certain conditions.

A public proof-of-concept (PoC) exploit and technical details for an unpatched Windows zero-day privilege elevation vulnerability has been disclosed that allows users to gain SYSTEM privileges under certain conditions.
The good news is that the exploit requires a threat actor to know another user's user name and password to trigger the vulnerability, so it will likely not be widely abused in attacks.
Click to expand...

The bad news is that it affects all versions of Windows, including Windows 10, Windows 11, and Windows Server 2022.
Researcher releases bypass to patched vulnerability
August, Microsoft released a security update for a "Windows User Profile Service Elevation of Privilege Vulnerability" tracked as CVE-2021-34484 and discovered by security researcher Abdelhamid Naceri.

After examining the fix, Naceri found that the patch was not sufficient and that he was able to bypass it with a new exploit that he published on GitHub.

"Technically, in the previous report CVE-2021-34484. I described a bug where you can abuse the user profile service to create a second junction," Naceria explains in a technical writeup about the vulnerability and the new bypass.
Click to expand...

This exploit will cause an elevated command prompt with SYSTEM privileges to be launched while the User Account Control (UAC) prompt is displayed.

Will Dormann, a vulnerability analyst for CERT/CC, tested the vulnerability and found that while it worked, it was temperamental and did not always create the elevated command prompt.
Click to expand...

As this bug requires a threat actor to know a user name and password for another user [...]

"Definitely still a problem. And there may be scenarios where it can be abused. But the 2 account requirement probably puts it in the boat of NOT being something that will have widespread use in the wild," Dormann told BleepingComputer.
Click to expand...

Floyd 57 · Oct 29, 2021

Are we gonna post every single CVE now lol. Also i can't imagine they would post it before it's patched. So while u're reading it it's already patched and nothing to worry about, likely.

Rasheed187 · Oct 31, 2021

Floyd 57 said: ↑

Are we gonna post every single CVE now lol. Also i can't imagine they would post it before it's patched. So while u're reading it it's already patched and nothing to worry about, likely.
Click to expand...

It's indeed true that most of the holes in Windows are not an immediate threat to especially home users. And who knows how many more zero days are present in Windows and others OS like macOS, so mitigation tools stay the most important.

guest · Nov 12, 2021

Zero-day bug in all Windows versions gets free unofficial patch
November 12, 2021
https://www.bleepingcomputer.com/ne...-windows-versions-gets-free-unofficial-patch/

A free and unofficial patch is now available for a zero-day local privilege escalation vulnerability in the Windows User Profile Service that lets attackers gain SYSTEM privileges under certain conditions.

The bug, tracked as CVE-2021-34484, was incompletely patched by Microsoft during the August Patch Tuesday. The company only addressed the impact of the proof-of-concept (PoC) provided by security researcher Abdelhamid Naceri who reported the issue.
Naceri later discovered that threat actors could still bypass the Microsoft patch to elevate privileges to gain SYSTEM privileges if certain conditions are met, getting an elevated command prompt while the User Account Control (UAC) prompt is displayed.
Click to expand...

After BleepingComputer's report on the CVE-2021-34484 bypass, Microsoft told us that they are aware of the issue and "will take appropriate action to keep customers protected."
Free patch available until Microsoft addresses the bug
While Microsoft is still working on a security update to address this zero-day flaw, the 0patch micropatching service has released Thursday a free unofficial patch (known as a micropatch).

0patch developed the micropatch using the info provided by Naceri in his write-up and PoC for the Windows User Profile Service 0day LPE.

"While this vulnerability already has its CVE ID (CVE-2021-33742), we're considering it to be without an official vendor fix and therefore a 0day," 0patch co-founder Mitja Kolsek explained. "Micropatches for this vulnerability will be free until Microsoft has issued an official fix."
Click to expand...

guest · Nov 22, 2021

0-Day LPE Vulnerability in Windows Installer (Nov. 2021)
November 23, 2021
https://borncity.com/win/2021/11/23/0-day-lpe-schwachstelle-im-windows-installer-nov-2021/

A security researcher has found a 0-day vulnerability in Windows Installer that allows a local attacker to gain administrative privileges. The 'Windows Installer Elevation of Privilege' vulnerability CVE-2021-41379 has been patched in November 2021. But there is a workaround, the patch is ineffective. All Windows versions are affected, including Windows 10, that brand new Windows 11, and all Windows Server versions.

I came across the following tweet from Will Dormann a few hours ago, which briefly touches on the problem and points to the findings of security researcher Abdelhamid Naceri.
In a follow-up tweet, a security researcher asks for details and receives the answer from Will Dormann that the exploitation follows a primitive strategy: A scheduled task is addressed, from which the privileges are inherited. During the next code execution, the process runs with the respective privileges.
Click to expand...

Security researcher Abdelhamid Naceri has published the InstallerFile-Takeover exploit on Github. The variant of the vulnerability was discovered by him during the analysis of the patch CVE-2021-41379.

Bleeping Computer colleagues have been in contact with Naceri, as they write here. When asked why he was making the 0-day vulnerability public, he said he was doing so out of frustration with Microsoft's declining bounties under its bug bounty program. Naceri commented:

Microsoft bounties have been on the decline since April 2020. I really wouldn't be doing this if MSFT hadn't made the decision to downgrade those bounties.
Click to expand...

guest · Nov 23, 2021

Malware now trying to exploit new Windows Installer zero-day
November 23, 2021
https://www.bleepingcomputer.com/ne...ng-to-exploit-new-windows-installer-zero-day/

Malware creators have already started testing a proof-of-concept exploit targeting a new Microsoft Windows Installer zero-day publicly disclosed by security researcher Abdelhamid Naceri over the weekend.

"Talos has already detected malware samples in the wild that are attempting to take advantage of this vulnerability," said Jaeson Schultz, Technical Leader for Cisco's Talos Security Intelligence & Research Group.
However, as Cisco Talos' Head of Outreach Nick Biasini told BleepingComputer, these exploitation attempts are part of low volume attacks likely focused on testing and tweaking exploits for full-blown campaigns.
Click to expand...

Zero-day bypasses Windows Installer patch
The vulnerability in question is a local privilege elevation bug found as a bypass to a patch Microsoft released during November 2021's Patch Tuesday to address a flaw tracked as CVE-2021-41379.
On Sunday, Naceri published a working proof-of-concept exploit for this new zero-day, saying it works on all supported versions of Windows.

BleepingComputer has tested Naceri's exploit and used it to successfully open a command prompt with SYSTEM permissions from an account with low-level 'Standard' privileges.
"The best workaround available at the time of writing this is to wait Microsoft to release a security patch, due to the complexity of this vulnerability," explained Naceri.
Click to expand...

"We are aware of the disclosure and will do what is necessary to keep our customers safe and protected. An attacker using the methods described must already have access and the ability to run code on a target victim's machine," a Microsoft spokesperson told BleepingComputer when asked for more details regarding this vulnerability.
Click to expand...

Cisco Talos: Attackers exploiting zero-day vulnerability in Windows Installer — Here’s what you need to know and Talos’ coverage

BoerenkoolMetWorst · Nov 24, 2021

Floyd 57 said: ↑

Are we gonna post every single CVE now lol. Also i can't imagine they would post it before it's patched.
Click to expand...

Actually they did, that happens quite often. It may be for self interest, but also for public interest. Sometimes companies don't respond or are very slow to work on a fix, with making a vulnerability public a researcher may want to force the company to fix it faster.

Floyd 57 said: ↑

So while u're reading it it's already patched and nothing to worry about, likely.
Click to expand...

I'm not sure if it is patched now, but it wasn't at the time of writing, that's why it is called a 0-day.

guest · Dec 6, 2021

0Patch has a patch for Windows "InstallerFileTakeOver" 0-day vulnerability, Microsoft has none
December 3, 2021

There is a 0-day vulnerability for Windows, called InstallerFileTakeOver, which Microsoft has yet to address. The vulnerability was discovered by Abdelhamid Naceri, a security researcher, who discovered two other 0-day vulnerabilities in Windows this year already.

We mentioned the vulnerability in late November 2021 already here on this site. The issue was unpatched back then and Microsoft has yet to release a security update that addresses the vulnerability.
Micro-patching company 0Patch released a free patch for the issue this week that is available to all users
Click to expand...

0Patch notes that non-ESU Windows 7 and Windows Server 2012 installations are not affected by the vulnerability. Windows Server 2022 and Windows 11 are likely also affected, but not officially supported by the company yet (hence no patch). Windows 8.1 was not analyzed because of low interest in the particular version of Windows.

Check out the 0Patch blog for additional details.
Click to expand...

guest · Mar 21, 2022

After multiple Patch Tuesday fails, unofficial fix for an old Windows vulnerability released
March 21, 2022

The bug we are talking about here is a local privilege escalation (LPE) flaw inside the Windows User Profile service that Microsoft first acknowledged with the ID "CVE-2021-34484" and received a CVSS v3 score of 7.8. The issue was supposedly patched by the company via its August 2021 Patch Tuesday update.
[...] Microsoft issued its next fix via the January 2022 Patch Tuesday but Naceri once again was able to get around it on all Windows versions except Server 2016.

A certain "profext.dll" DLL file issued by 0patch was able to fix the issue. However, Microsoft seemingly modified this DLL file and nullified the patch, making users' systems vulnerable again.
To counter this, 0patch has now ported its fix for the new profext.dll and made it available for download.
Click to expand...

0Patch: A Bug That Doesn't Want To Die (CVE-2021-34484)

Twice Bypassed and Twice Micropatched, Will Third Time be a Charm?
Click to expand...

Log in or Sign up

All Windows versions impacted by new Local Privilege Escalation (LPE) zero-day vulnerability

guest Guest

Floyd 57 Registered Member

Rasheed187 Registered Member

guest Guest

guest Guest

guest Guest

BoerenkoolMetWorst Registered Member

guest Guest

guest Guest

Log in or Sign up

All Windows versions impacted by new Local Privilege Escalation (LPE) zero-day vulnerability

guest Guest

Floyd 57 Registered Member

Rasheed187 Registered Member

guest Guest

guest Guest

guest Guest

BoerenkoolMetWorst Registered Member

guest Guest

guest Guest

Useful Searches