Tool InstallerFileTakeOver escalates Admin privileges on Windows 10/11

On November 9, Microsoft found a security flaw with code CVE-2021-41379 that allows users to delete any file on Windows without admin rights. But after releasing patches, it seems they haven’t patched them properly. And a github user took advantage of them to give us admin rights. Let’s find out with us!

Vulnerability CVE-2021-41379

Vulnerability CVE-2021-41379 was discovered on October 8 and has a cvss (Common Vulnerability Scoring System) score of approximately 5.5 – 7.8 and this bug is called “Windows Installer Elevation of Privilege Vulnerability”. This error allows users to delete files anywhere on the computer without requiring admin rights. The only thing to do is run the code as a regular user (no admin) to be able to execute. It is worth mentioning that all versions of Windows suffer from this error (including Window 11 and Window Server).

Tool InstallerFileTakeOver escalates Admin privileges on Windows 10/11

And after more than 2 months, in this November, Microsoft has released patch update CVE-2021-41379 for all operating systems still supported by Microsoft. But just yesterday (November 22), a Github user posted a software that can use this bug after they have been patched. Let’s learn about that software!

Read more about error CVE-2021-41379

InstallerFileTakeOver – software that takes advantage of security vulnerability CVE-2021-41379

According to klinix5 shared on Github, during the analysis of patch CVE-2021-41379, they found this bug is not completely fixed and they found a similar version of it. Compared to the old bug, the new version is a more serious error.

InstallerFileTakeOver

Klinix5 further shared: For InstallerFileTakeOver, they had to make this application work without any external factors or any extensions to ensure that the software could work 100% at runtime. And they see this app as proof that bug CVE-2021-41379 hasn’t been fully fixed yet.

In addition to this application, During development they created 2 .msi files (windows installation files) and what we see here is just 1 version of them. klinix5 has revealed to us that the remaining file is capable of bypassing the patch of CVE-2021-41379 and that they will be released in the future.

You can read more here.

Note before doing

Because this is a serious security error, it is only used for reference and learning purposes. Not allowed to be used on computers not owned by you. Anonyviet will not be responsible for any of your actions.

InstallerFileTakeOver User Manual

To be able to experience the whole thing, please create a user without admin rights (select Standard user) and log in with that account!

To standard user

Step 1: After logging in to the newly created account, go to a web browser and download the file here

Download the necessary files

Step 2: Go to the InstallerFileTakeOver folder > Release > run the file ending in .exe

Run the file ending in .exe

After you finish running, there will be a CMD screen displayed and that is the CMD that has been granted admin rights. You can go there and create a new user and then log in to get control of the machine or break the computer as you like.

InstallerFileTakeOver

Note: This file will only exist until CVE-2021-41379 is patched. If you haven’t tried it yet, what are you waiting for?

You may be interested in: PoC CVE-2021-40444 – Attach Virus to Word File

Leave a Reply