0patch fixes InstallerTakeOver LPE 0-day vulnerability in Windows

Windows[German]The ACROS Security team around founder Mitja Kolsek has now developed and released the third micro-patch within two weeks for a vulnerability discovered by security researchers. The current micro-patch is about a 0-day InstallerTakeOver Local Privilege Escalation (LPE) vulnerability in Windows for which there is no CVE yet. Mitja Kolsek informed me about the issue in a private message on Twitter last night. Here is some information about it.

The InstallerTakeOver LPE vulnerability

There is an unpatched Local Privilege Escalation vulnerability in the Windows installer. The vulnerability was made public a few days ago by security researcher Abdelhamid Naceri via the following tweet. The security researcher points to his GitHub pages where he has published a proof of concept (PoC) and some information.

Windows InstallerTakeOver LPE

The tweet had even come to my attention, but I hadn't looked at the details. This also unpatched vulnerability in the Windows Installer allows a local user (without administrator privileges) to overwrite an existing file to which he has no write permissions and then change its contents arbitrarily. This can easily be abused for Local Privilege Escalation (LPE) by overwriting a trusted system executable with custom code. The PoC of Abdelhamid's POC demonstrates this by starting a command prompt as Local System.

The vulnerability is related to the way Windows Installer creates a rollback file (RBF). This is a file that stores the contents of all files deleted or modified during the installation process. This rollback file allows all files to be restored to their original state in the event of a rollback. The RBF file is created either in the C:\Config.msi folder or in the C:\Windows\Installer\Config.msi folder (the logic of which folder is used is currently not fully understood).

If the RBF file is created in the C:\Windows\Installer\Config.msi * folder, it will later be moved to a known location in the initiating user's temp folder, where the file permissions will also be changed to give the user write access. Abdelhamid noted that a symbolic link can be created instead of the incoming RBF file, which results in the RBF file being moved from C:\Windows\Installer\Config.msi to another user-selected file on the system. Because Windows Installer runs as a Local System, any file that is writable by the Local System can be overwritten and made writable by the local user.

According to Cisco Talos, this vulnerability is already being exploited. But there is neither a CVE nor a patch for the vulnerability – the vulnerability can also be exploited on fully patched Windows 11 systems or Windows Server 2022 with the November 2021 security updates.

The 0Patch solution for the InstallerTakeOver LPE vulnerability

The team at ACROS Security, which has been providing the 0Patch solution for years, has analyzed the LPE vulnerability and provided a micropatch to render the vulnerability harmless. Mitja Kolsek drew attention to this free solution via Twitter.

0patch fix for InstallerTakeOver LPE

The solution is described in details within this blog post from 0patch, dated December 2, 2021. The 0patch micropatches are available for free for the following products:

  1. Windows 10 v21H1 (32 & 64 bit) updated with November 2021 Updates
  2. Windows 10 v20H2 (32 & 64 bit) updated with November 2021 Updates
  3. Windows 10 v2004 (32 & 64 bit) updated with November 2021 Updates
  4. Windows 10 v1909 (32 & 64 bit) updated with November 2021 Updates
  5. Windows 10 v1903 (32 & 64 bit) updated with November 2021 Updates
  6. Windows 10 v1809 (32 & 64 bit) updated with May 2021 Updates
  7. Windows 10 v1803 (32 & 64 bit) updated with May 2021 Updates
  8. Windows 10 v1709 (32 & 64 bit) updated with October 2020 Updates
  9. Windows 7 ESU (32 & 64 bit) updated with November 2021 Updates
  10. Windows Server 2019 updated with November 2021 Updates
  11. Windows Server 2016 updated with November 2021 Updates
  12. Windows Server 2012 R2 updated with November 2021 Updates
  13. Windows Server 2012 updated with November 2021 Updates
  14. Windows Server 2008 R2 ESU (32 & 64 bit) updated with November 2021 Updates

0patch writes that Windows 7 and Server 2008 R2 without ESU (Extended Security Updates), which ACROS Security has classified as security relevant, do not appear to be vulnerable. It should be noted that Abdelhamid's POC also works on Windows 11 and probably Windows Server 2022. However, ACROS Security does not yet support these Windows versions.

Notes on how the 0patch agent, which loads micropatches into memory at an application's runtime, works can be found in blog posts (such as here).

Similar articles
0patch: Fix for Internet Explorer 0-day vulnerability CVE-2020-0674
0patch: Fix for Windows Installer flaw CVE-2020-0683
0patch fix for Windows GDI+ vulnerability CVE-2020-0881
0-day vulnerability in Windows Adobe Type Library
0patch fixes CVE-2020-0687 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1048 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1015 in Windows 7/Server 2008 R2
0patch for 0-day RCE vulnerability in Zoom for Windows
Windows Server 2008 R2: 0patch fixes SIGRed vulnerability
0patch fixes CVE-2020-1113 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1337 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1530 in Windows 7/Server 2008 R2
0patch fixes Zerologon (CVE-2020-1472) vulnerability in Windows Server 2008 R2
0patch fixes CVE-2020-1062 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1300 in Windows 7/Server 2008 R2
0patch fixes 0-day vulnerability in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1013 in Windows 7/Server 2008 R2
0patch fixes a Local Privilege Escalation 0-day in Sysinternals PsExec
0patch fixes Windows Installer 0-day Local Privilege Escalation vulnerability
0patch fixes 0-day in Internet Explorer
0patch fixes CVE-2021-26877 in the DNS server of Windows Server 2008 R2
0patch fixes Windows Installer LPE-Bug (CVE-2021-26415)
0Patch provides support for Windows 10 version 1809 after EOL
Windows 10 V180x: 0Patch fixes IE vulnerability CVE-2021-31959
0Patch Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)
0patch fix for new Windows PrintNightmare 0-day vulnerability (Aug. 5, 2021)
0patch fix for Windows PetitPotam 0-day vulnerability (Aug. 6, 2021)
2nd 0patch fix for Windows PetitPotam 0-day vulnerability (Aug. 19, 2021)
Windows 10: 0patch fix for MSHTML vulnerability (CVE-2021-40444)
0patch fixes LPE Vulnerability (CVE-2021-34484) in Windows User Profile Service
0patch fixes LPE vulnerability (CVE-2021-24084) in Mobile Device Management Service

This entry was posted in Security, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *