• XSS.stack #1 – первый литературный журнал от юзеров форума

Local 0-day LPE Windows 10&11 (Microsoft Edge Elevation Service)

Отслеживать

Vexer2k

X-pert
Эксперт
Регистрация
17.06.2021
Сообщения
52
Реакции
72
I am not an author of the exploit. Just sharing it for anyone who is interested.

PoC: https://github.com/klinix5/InstallerFileTakeOver

The default PoC leaves a lot of trash on the target system so it's easy to detect. The juicy stuff is the exploit part of the code and the fact that it uses Edge as part of the LPE.
 
Vexer2k сказал(а):
I am not an author of the exploit. Just sharing it for anyone who is interested.

PoC: https://github.com/klinix5/InstallerFileTakeOver

The default PoC leaves a lot of trash on the target system so it's easy to detect. The juicy stuff is the exploit part of the code and the fact that it uses Edge as part of the LPE.
Very interesting, we need to check it out!
 
Пожалуйста, обратите внимание, что пользователь заблокирован

What Happened?​

Security researcher Abdelhamid Naceri discovered a privilege escalation vulnerability in Microsoft Windows that can give admin rights to threat actors.
The vulnerability was discovered when Microsoft released a patch for CVE-2021-41379 (Windows Installer Elevation of Privilege Vulnerability) as a part of the November 2021 Patch Tuesday. Naceri found a bypass to the patch, as well as a more severe zero-day privilege escalation vulnerability, and published a proof-of-concept exploit for the zero-day on GitHub.
This zero-day vulnerability affects all supported client and server versions of Windows, including Windows 10, Windows 11 and Windows Server — even with the latest patches.

How Bad is This?​

Pretty bad; privilege elevation is a serious situation, especially when threat actors could elevate from user to admin rights. Throughout 2021 we have seen a growing number of privilege escalation vulnerabilities land on Windows, which is only increasing the attack surface in environments at this point.
There are no workarounds currently available, according to Naceri. Due to the fact that this vulnerability and exploit leverage existing MSI functionality, it is difficult to inherently workaround.
Threat actor would need local access to the machine to take advantage of this vulnerability. Windows Defender detects the PoC.

image4.png


image3.png


Источник: https://www.blumira.com/windows-zero-day-admin-rights/
 
Maximblack сказал(а):
Получилось изменить DACL для *.ini *.txt, но не сработало на целую папку или *.exe, кто ни будь еще пробовал? ?
Во время тестирования у меня не было проблем с файлами, но я знаю, что этот эксплойт не будет работать с папками. Также помните, что файл, который вы установили в качестве целевого, не может использоваться другими программами или службами одновременно.
 
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх