Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5

November Microsoft Patches Introduce a 0-day

#1
What Happened?
Security researcher Abdelhamid Naceri discovered a privilege escalation vulnerability in Microsoft Windows that can give admin rights to threat actors.

The vulnerability was discovered when Microsoft released a patch for CVE-2021-41379 (Windows Installer Elevation of Privilege Vulnerability) as a part of the November 2021 Patch Tuesday. Naceri found a bypass to the patch, as well as a more severe zero-day privilege escalation vulnerability, and published a proof-of-concept exploit for the zero-day on GitHub: https://github.com/klinix5/InstallerFileTakeOver

This zero-day vulnerability affects all supported client and server versions of Windows, including Windows 10, Windows 11 and Windows Server — even with the latest patches.

How Bad is This?
Pretty bad; privilege elevation is a serious situation, especially when threat actors could elevate from user to admin rights. Throughout 2021 we have seen a growing number of privilege escalation vulnerabilities land on Windows, which is only increasing the attack surface in environments at this point.

There are no workarounds currently available, according to Naceri. Due to the fact that this vulnerability and exploit leverage existing MSI functionality, it is difficult to inherently workaround.

The good news is that a threat actor would need local access to the machine to take advantage of this vulnerability. More good news is that Windows Defender detects the PoC.

What Should I Do?
Organizations that haven’t already enabled Sysmon in their environment should do so. Blumira’s newly-created PowerShell script, Poshim, streamlines Windows log collection by automatically installing and configuring NXLog and Sysmon to ship logs over Sysmon to a targeted IP.

Although there are no workarounds, admins can use an endpoint solution and a security incident and event management (SIEM) platform to detect for signs of the PoC exploit in an environment.

How To Detect
This PoC code is easily detectable in its current form due to a built-in MSI (or installer package) and the fact that the PoC has a number of hard-coded naming conventions.

Blumira security experts tested the exploit in their lab environment and found a few ways to detect the PoC:

Sysmon

With Sysmon enabled, admins can look for the following behaviors:

windows_event_id = 11
AND target LIKE '%microsoft plz%'
By default the PoC utilizes a target with “microsoft plz” in the path, this allows for quick detection opportunities for lazy attackers.

AND

process_name = 'C:\\Windows\\system32\\msiexec.exe'
AND target LIKE '%AppData%splwow64.exe'
AND windows_event_id in (11,26)
The second Sysmon detection uses splwow64.exe in its own AppData folder, which it creates and deletes during the process.

Windows logs

Admins can look for the following Windows logs in Event Log Viewer:

windows_log_name='Application'
AND message LIKE '%test pkg%'
Application logs that contain hardcoded test pkg similar to “microsoft plz” above. Attackers building their own exploits will not utilize this naming convention however.

AND

REGEXP_CONTAINS(message, r'Users.*AppData\\Local\\Temp\\2\\\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\}.msi')
AND user='SYSTEM
AND user_id='S-1-5-18'
AND windows_event_id=1042
The System’s Application log as system references the initial User’s appdata with the System user and SID (S-1-5-18) and user on a failed MSI install. So far in our testing we were able to reduce false positives but looking for a specific UUID4 format due to how this MSI installer activates but this may result in noise at times.

Final stage of attack shows the completion of the installer transaction as SYSTEM with a reference to the initializing user.

Application Eventlog

Search for EventID 1033 and the keyword ‘test pkg’
Reply
#2
The vulnerability, would have already been closed with November updates.
For remedy, one could only wait for a new, effective patch of Microsoft due to the complexity of the vulnerability, says Naceri. Any attempt to patch the executable file of the Windows Installer directly would destroy it.

[Update 24.11.2021 08:15 clock] Supplement that Talos has discovered first malware in the wild, which exploits the weak point for rights expansion.
 [Image: autism4all.png]
[x] <= Drive in nail here for new display!
Reply
#3
I love how the name to look for is channish for microsoft please, they could have at least used L33T Sp33k for it lol.

still it makes me wonders if microsoft is slipping on their QC when checking for serious vulnerabilities like this now that the old guard have retired...

ironically to gain access you'd have to red team a site since it requires Local User access to do it but once you're in... you're in. Linux isn't immune to this either if you happen to have a drive with linux on it and know command line and privilege escalation tricks to edit/update the passwords from a live distro.

fortunately while that's easy enough to secure against (disable USB boot), this is not...

what are their plans to prevent this in the future?
"I reject your reality and subsitute my own." - Adam Savage, Mythbusters
[Image: 5.jpg]
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Microsoft patches a vulnerability that has existed for 19 years - literally. Darth-Apple 7 9,609 June 2nd, 2017 at 6:22 PM
Last Post: Darth-Apple



Users browsing this thread: 1 Guest(s)

Makestation Theme/Design Selector

Contact Us | Makestation | Return to Top | Lite (Archive) Mode | RSS Syndication 
Proudly powered by MyBB 1.8, © 2002-2021
Forum design by Makestation Team © 2020
Saturn-Moon.com - a modern day time capsule | Makestation Ajax Chat Hosting