Researcher Abdelhamid Naceri has disclosed another vulnerability that allows a local non-admin user to overwrite an existing file to which he does not have access to write. The vulnerability is not assigned a CVE at the time of writing this post. It is just identified as an “InstallerFileTakeOver” vulnerability. Unfortunately, Microsoft hasn’t released security updates to fix the “InstallerFileTakeOver” 0day Vulnerability in Windows. However, a micropatch released by Opatch could protect you from this vulnerability. Let’s see how to fix “InstallerFileTakeOver” 0day LPE (Local Privilege Elevation) vulnerability using Opatch.
Summary Of “InstallerFileTakeOver” 0day LPE Vulnerability:
The vulnerability lice in the process of RBF file creation, a file that stores the content of all deleted or modified files during the installation process. Windows Installer program creates RFB (Rollback File) file in C:\Windows\Installer\Config.msi * folder to restore all the original files later in time when a rollback is initiated.
Later, when the Windows installer program moves the RBF file created in C:\Windows\Installer\Config.msi * folder to a known location in the user’s Temp folder, it modifies the permission to give the user write access to the files. The vulnerability allows the attacker to create a symbolic link to the RBF files and move them from C:\Windows\Installer\Config.msi folder to the user’s chosen location on the system. Since Windows Installer is running as Local System, any file writable by Local System can be overwritten and made writable by the local user. This may lead to a local privilege escalation vulnerability. Please read the full technical details here.
Prior to releasing PoC for this vulnerability, Researcher Abdelhamid Naceri has disclosed a couple of local privilege elevation vulnerabilities: CVE-2021-34484 & CVE-2021-41379, and information discloser CVE-2021-24084 vulnerability in a month of time.
Windows Affected To “InstallerFileTakeOver” 0day LPE Vulnerability:
Research says that this vulnerability affects all versions of the fully patched Windows operating system, including Windows 11 and Windows Server 2022.
Micropatch Released For The Windows Operating System:
This micropatch was released for these Windows Operating Systems:
- Windows 10 v21H1 (32 & 64 bit)
- Windows 10 v20H2 (32 & 64 bit)
- Windows 10 v2004 (32 & 64 bit)
- Windows 10 v1909 (32 & 64 bit)
- Windows 10 v1903 (32 & 64 bit)
- Windows 10 v1809 (32 & 64 bit)
- Windows 10 v1803 (32 & 64 bit)
- Windows 10 v1709 (32 & 64 bit)
- Windows 7 ESU (32 & 64 bit)
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2 ESU (32 & 64 bit)
How To Fix “InstallerFileTakeOver” 0day LPE Vulnerability?
Although Microsoft hasn’t released a security update to fix the Local Privilege Escalation LPE vulnerability, a micropatch is available that could protect the 0day vulnerability. Opatch said that its micropatch targets the RBF file move operation. Before move operation is initiated, Opatch micropatch checks the symbolic links, soft-links, shortcut icons, or any junctions created for the destination folder. If found, it treats such move operation as an exploitation attempt and blocks the operation.
Opatch said that it has made the micropatch free until the official patch is available. We recommend making use of this micropatch. To use the micropatch, create a free account in 0patch Central. Download the Opatch agent from 0patch.com and install and enable it on your Windows system. Opatch agent will take care of everything else. This doesn’t need a reboot to complete this process.
Time needed: 5 minutes.
How to Fix “InstallerFileTakeOver” 0day LPE Vulnerability?
- Create a free account in Opatch
Visit Optch and login if you have an account created or register using an email ID.
Note: It’s a free registration.
- Download free Opatch agent
Download the Opatch agent from here: https://0patch.com/
- Execute the Opatch agent
You do not need to do anything big to install the patch. Launch the agent, the patch will be installed by itself.
- Accept License agreement
- Select installation folder
Choose the installation path. If not keep the default.
- Confirm installation
- Finish Opatch agent installation
- Sign into Opatch agent
- Opatch dashboard
You will start seeing the number of available updates on the dashboard upon signing in to the agent.
- Fix “InstallerFileTakeOver” 0day LPE Vulnerability
Click on the ‘PATCH WAS APPLIED’ tiles to see the patch was applied for “InstallerFileTakeOver” 0day LPE Vulnerability.
We hope this post will help you in knowing how to fix “InstallerFileTakeOver” 0day vulnerability in Windows. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.