Table of Contents
December 8, 2021
|5m
How To Fix “InstallerFileTakeOver” 0day LPE Vulnerability In Windows?
Researcher Abdelhamid Naceri has disclosed another vulnerability that allows a local non-admin user to overwrite an existing file to which he does not have access to write. The vulnerability is not assigned a CVE at the time of writing this post. It is just identified as an “InstallerFileTakeOver” vulnerability. Unfortunately, Microsoft hasn’t released security updates to fix the “InstallerFileTakeOver” 0day Vulnerability in Windows. However, a micropatch released by Opatch could protect you from this vulnerability. Let’s see how to fix “InstallerFileTakeOver” 0day LPE (Local Privilege Elevation) vulnerability using Opatch.
Summary Of “InstallerFileTakeOver” 0day LPE Vulnerability:
The vulnerability lice in the process of RBF file creation, a file that stores the content of all deleted or modified files during the installation process. Windows Installer program creates RFB (Rollback File) file in C:\Windows\Installer\Config.msi * folder to restore all the original files later in time when a rollback is initiated.
Later, when the Windows installer program moves the RBF file created in C:\Windows\Installer\Config.msi * folder to a known location in the user’s Temp folder, it modifies the permission to give the user write access to the files. The vulnerability allows the attacker to create a symbolic link to the RBF files and move them from C:\Windows\Installer\Config.msi folder to the user’s chosen location on the system. Since Windows Installer is running as Local System, any file writable by Local System can be overwritten and made writable by the local user. This may lead to a local privilege escalation vulnerability. Please read the full technical details here.
https://twitter.com/KLINIX5/status/1462597892066136069
Prior to releasing PoC for this vulnerability, Researcher Abdelhamid Naceri has disclosed a couple of local privilege elevation vulnerabilities: CVE-2021-34484 & CVE-2021-41379, and information discloser CVE-2021-24084 vulnerability in a month of time.
Windows Affected To “InstallerFileTakeOver” 0day LPE Vulnerability:
Research says that this vulnerability affects all versions of the fully patched Windows operating system, including Windows 11 and Windows Server 2022.
Micropatch Released For The Windows Operating System:
This micropatch was released for these Windows Operating Systems:
Windows 10 v21H1 (32 & 64 bit)
Windows 10 v20H2 (32 & 64 bit)
Windows 10 v2004 (32 & 64 bit)
Windows 10 v1909 (32 & 64 bit)
Windows 10 v1903 (32 & 64 bit)
Windows 10 v1809 (32 & 64 bit)
Windows 10 v1803 (32 & 64 bit)
Windows 10 v1709 (32 & 64 bit)
Windows 7 ESU (32 & 64 bit)
Windows Server 2019
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
Windows Server 2008 R2 ESU (32 & 64 bit)
How To Fix “InstallerFileTakeOver” 0day LPE Vulnerability?
Although Microsoft hasn’t released a security update to fix the Local Privilege Escalation LPE vulnerability, a micropatch is available that could protect the 0day vulnerability. Opatch said that its micropatch targets the RBF file move operation. Before move operation is initiated, Opatch micropatch checks the symbolic links, soft-links, shortcut icons, or any junctions created for the destination folder. If found, it treats such move operation as an exploitation attempt and blocks the operation.
Created by Opatch
Opatch said that it has made the micropatch free until the official patch is available. We recommend making use of this micropatch. To use the micropatch, create a free account in 0patch Central. Download the Opatch agent from 0patch.com and install and enable it on your Windows system. Opatch agent will take care of everything else. This doesn’t need a reboot to complete this process.
Step 1. Create a free account in Opatch
Visit Optch and login if you have an account created or register using an email ID.
Note: It’s a free registration.
https://central.0patch.com/auth/login
Step 2. Download free Opatch agent
Download the Opatch agent from here: https://0patch.com/
Step 3. Execute the Opatch agent
You do not need to do anything big to install the patch. Launch the agent, the patch will be installed by itself.
Step 4. Accept License agreement
Step 5. Select installation folder
Choose the installation path. If not keep the default.
Step 6. Confirm installation
Step 7. Finish Opatch agent installation
Step 8. Sign into Opatch agent
Step 9. Opatch dashboard
You will start seeing the number of available updates on the dashboard upon signing in to the agent.
Step 10. Fix “InstallerFileTakeOver” 0day LPE Vulnerability
Click on the ‘PATCH WAS APPLIED’ tiles to see the patch was applied for “InstallerFileTakeOver” 0day LPE Vulnerability.
We hope this post would help you in knowing how to fix “InstallerFileTakeOver” 0day vulnerability in Windows. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
You may also like these articles:
How To Fix The Windows SeriousSAM Vulnerability (CVE-2021-36934)?
How To Fix CVE-2022-22718- A Privilege Escalation Vulnerability In Windows Print Spooler
How To Fix The Polkit Privilege Escalation Vulnerability (CVE-2021-4034)
What Is A Privilege Escalation Attack? How To Prevent Privilege Escalation Attacks?
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
