by Bhabesh Raj Rai, Associate Security Analytics Engineer
On November 22, 2021, Security researcher Abdelhamid Naceri dropped PoC for a privilege escalation vulnerability (CVE-2021-41379) in the Windows installer that Microsoft had patched in November’s Patch Tuesday. The PoC works on all supported versions of Windows.
The specific flaw exists within the Windows Installer service. An attacker can abuse the Windows Installer service to delete a file or directory by creating a junction. Instead of providing the bypass, Naceri provided a more powerful variant of the vulnerability that allows an unprivileged user to run the command prompt as SYSTEM.
Naceri explained that his PoC would bypass any group policies configured to prevent normal users from performing MSI installations.
Detecting Exploitation in LogPoint
A naive detection approach for exploitation of this zero-day is via Application installation logs. Look out for the application name “test pkg” used in the PoC.
norm_id=WinServer label=Application label=Install application=”test pkg”
Threat actors can change the PoC defaults for stealth. We can use process