by Mitja Kolsek, the 0patch Team
Wow, this is the third 0day found by the same researcher we're patching in the last two weeks.
Abdelhamid Naceri, a talented security researcher, has been keeping us busy with 0days this year. In January we micropatched a local privilege escalation in Windows Installer they had found (already fixed by Microsoft), and in the last two weeks we fixed an incompletely patched local privilege escalation in User Profile Service and a local privilege escalation in Mobile Device Management Service (still 0days at the time of this writing).
Ten days ago, Abdelhamid tweeted a link to their GitHub repository containing a proof of concept for another unpatched vulnerability in Windows Installer. The vulnerability allows a local non-admin user to overwrite an existing file to which they do not have write access, and then arbitrarily change its content. This can easily be turned into local privilege escalation by overwriting a trusted system executable file with one's own code - as demonstrated by Abdelhamid's POC, which launches a command line window as Local System.
According to Cisco Talos, this vulnerability is being exploited in the wild.
Note that this 0day is being referenced by multiple sources as a bypass to CVE-2021-41379, but the researcher who found it claims that is not the case.
The vulnerability lies in the way Windows Installer creates a RBF (Rollback File), a file that stores the content of all deleted or modified files during the installation process, so that in case rollback is needed, these files can be restored to their originals. The RBF file is created either in folder C:\Config.msi or in folder C:\Windows\Installer\Config.msi, based on some logic that we admittedly don't fully understand. In any case, should the RBF file be created in folder C:\Windows\Installer\Config.msi *, it later gets moved to a known location in initiating user's Temp folder where the files' permissions are also modified to give the user write access. Abdelhamid noticed that a symbolic link can be created in place of the incoming RBF file, which will result in moving the RBF file from C:\Windows\Installer\Config.msi to some other user-chosen file on the system. Since Windows Installer is running as Local System, any file writable by Local System can be overwritten and made writable by the local user.
It doesn't take a lot of imagination to see that taking over an executable file that is being used by a privileged process can get one's code executed with such process' privileges. This Twitter thread by Will Dormann provides various options to achieve the same.
* In case the RBF file is created in C:\config.msi, the described file move does not take place, and the exploit can't work. Interestingly, Abdelhamid's 0day we had fixed in January was targeting the other rollback file, RBS or Rollback Script, which - to the contrary - had to be created in C:\Config.msi instead of in C:\Windows\Installer\Config.msi, to be exploitable. Things are weird in the Windows Installer world.
Our micropatch targets the RBF file move operation, whereby it checks that the destination path does not contain any junctions or links. If it does, we consider it an exploitation attempt, and the operation is canceled. The original code then "thinks" the file move operation has failed for some reason.Here is the video of our micropatch in action. Without the micropatch, exploit works and a command line window is launched as Local System; with the micropatch, the code we correct in msi.dll determines that destination path contains a symbolic link, aborts the file move operation and triggers an "Exploit blocked" event.
This micropatch was written for:
- Windows 10 v21H1 (32 & 64 bit) updated with November 2021 Updates
- Windows 10 v20H2 (32 & 64 bit) updated with November 2021 Updates
- Windows 10 v2004 (32 & 64 bit) updated with November 2021 Updates
- Windows 10 v1909 (32 & 64 bit) updated with November 2021 Updates
- Windows 10 v1903 (32 & 64 bit) updated with November 2021 Updates
- Windows 10 v1809 (32 & 64 bit) updated with May 2021 Updates
- Windows 10 v1803 (32 & 64 bit) updated with May 2021 Updates
- Windows 10 v1709 (32 & 64 bit) updated with October 2020 Updates
- Windows 7 ESU (32 & 64 bit) updated with November 2021 Updates
- Windows Server 2019 updated with November 2021 Updates
- Windows Server 2016 updated with November 2021 Updates
- Windows Server 2012 R2 updated with November 2021 Updates
- Windows Server 2012 updated with November 2021 Updates
- Windows Server 2008 R2 ESU (32 & 64 bit) updated with November 2021 Updates