The vulnerability was discovered when Microsoft released a patch for CVE-2021-41379 (Windows Installer Elevation of Privilege Vulnerability) as a part of the November 2021 Patch Tuesday. Naceri found a bypass to the patch, as well as a more severe zero-day privilege escalation vulnerability, and published a proof-of-concept exploit for the zero-day on GitHub.
This zero-day vulnerability affects all supported client and server versions of Windows, including Windows 10, Windows 11 and Windows Server — even with the latest patches.
How Bad is This?
Pretty bad; privilege elevation is a serious situation, especially when threat actors could elevate from user to admin rights. Throughout 2021 we have seen a growing number of privilege escalation vulnerabilities land on Windows, which is only increasing the attack surface in environments at this point.
There are no workarounds currently available, according to Naceri. Due to the fact that this vulnerability and exploit leverage existing MSI functionality, it is difficult to inherently workaround.
The good news is that a threat actor would need local access to the machine to take advantage of this vulnerability. More good news is that Windows Defender detects the PoC.
What Should I Do?
Organizations that haven’t already enabled Sysmon in their environment should do so. Blumira’s newly-created PowerShell script, Poshim, streamlines Windows log collection by automatically installing and configuring NXLog and Sysmon to ship logs over Sysmon to a targeted IP.
Opatch, a micropatching service, released unofficial patches for the following affected Windows versions:
- Windows 10 v21H1 (32 & 64 bit) updated with November 2021 Updates
- Windows 10 v20H2 (32 & 64 bit) updated with November 2021 Updates
- Windows 10 v2004 (32 & 64 bit) updated with November 2021 Updates
- Windows 10 v1909 (32 & 64 bit) updated with November 2021 Updates
- Windows 10 v1903 (32 & 64 bit) updated with November 2021 Updates
- Windows 10 v1809 (32 & 64 bit) updated with May 2021 Updates
Windows 10 21H2 is affected, too, but is not yet supported by 0patch.
To install the patch, you must register for an 0patch account and install an 0patch agent through their website. Installing the agent will cause the patch to automatically download. While micropatching is a new method for prevention, it is generally safe to utilize on endpoints that could be impacted. We recommend testing the 0patch micropatches on your test machines like you would test normal Windows patches previous to full patch release.
Additionally, admins can use an endpoint solution and a security incident and event management (SIEM) platform to detect for signs of the PoC exploit in an environment.
How To Detect
This PoC code is easily detectable in its current form due to a built-in MSI (or installer package) and the fact that the PoC has a number of hard-coded naming conventions.
Blumira security experts tested the exploit in their lab environment and found a few ways to detect the PoC:
With Sysmon enabled, admins can look for the following behaviors:
windows_event_id = 11
AND target LIKE '%microsoft plz
By default the PoC utilizes a target with “microsoft plz” in the path, this allows for quick detection opportunities for lazy attackers.
process_name = 'C:\\Windows\\system32\\msiexec.exe'
AND target LIKE '%AppData%splwow64.exe'
AND windows_event_id in (11,26)
The second sysmon detection uses splwow64.exe in its own AppData folder, which it creates and deletes during the process.
Admins can look for the following Windows logs in Event Log Viewer:
AND message LIKE '%test pkg%'
Application logs that contain hardcoded test pkg similar to “microsoft plz” above. Attackers building their own exploits will not utilize this naming convention, however.
The System’s Application log as system references the initial User’s appdata with the System user and SID (S-1-5-18) and user on a failed MSI install. Message for Blumira is seen in the below blob, the general message details. So far in our testing, we were able to reduce false positives but looking for a specific UUID4 format due to how this MSI installer activates but this may result in noise at times.
Search for EventID 1033 and the keyword ‘test pkg’
You can detect the exploitation of Windows InstallerFileTakeOver LPE CVE-2021-41379 with the published PoC with events from the ‘Application’ Eventlog
Search for EventID 1033 and the keyword ‘test pkg’ pic.twitter.com/ypqqfKTROK
— Florian Roth ⚡️ (@cyb3rops) November 22, 2021
How Blumira Can Help
It’s nearly impossible for admins to track every vulnerability, but Blumira’s security experts perform threat hunting on your behalf and develop detections in real time to protect your environment. Blumira can detect activity related to this Windows exploit, as well as many other security incidents.
Blumira’s free trial is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.
Sign up for a free trial to start detecting and mitigating exposure related to Windows vulnerabilities.
Learn More In Our Livestream
Dealing with yet another Microsoft vulnerability before a holiday weekend is frustrating, but Blumira’s security experts can help.
Watch our livestream with Blumira’s Matthew Warner, CTO and Co-Founder, to get your questions answered before you sign off for the holiday.