Last Updated on 10/12/2021 by Nidhi Khandelwal
A zero-day vulnerability that is actively exploited in the wild to get administrator access has an unofficial patch available.
For this flaw, known as the “InstallerFileTakeOver” bug, proof-of-concept (PoC) attack code that works out of the box has been provided.
The flaw affects all versions of Windows, including Windows 11 and Windows Server 2022, and attackers with limited local accounts can use it to escalate privileges and run code with admin permissions.
The issue was discovered by Abdelhamid Naceri, the researcher who produced the Poc, while evaluating the patch for another privilege escalation bug he reported to Microsoft, which is presently listed as CVE-2021-41379.
He observed that Microsoft’s fix was insufficient, allowing for code to be run with administrator rights through exploitation. The new variation, which does not yet have a CVE identifier, is also “more powerful than the original,” according to Naceri.
The problem originates from the way Windows installer creates a Rollback File (.RBF) that permits restoring data erased or modified during the installation process, according to Mitja Kolsek, co-founder of the 0patch service that provides hotfixes without requiring system reboots.
Windows moves the RBF file from “Config.msi” to the temporary folder and changes its permissions to allow user write access at one point.
The code from 0Patch verifies that the RBF file’s target path contains no junctions or links; if it does, it prevents the file from being moved, reducing the possibility of exploitation.
It’s worth noting that the 0Patch fixing code is only a band-aid solution designed to keep PCs secure until Microsoft provides a permanent fix, which has yet to happen.
In an interview with BleepingComputer, Naceri admitted that he disclosed the proof-of-concept (PoC) attack for this unaddressed bug without telling Microsoft.