CVE-2021-41379 - Windows Installer Elevation of Privilege Vulnerability

Microsoft released a patch for CVE-2021-41379 during their November 9, 2021, Patch Tuesday updates. The patch was supposed to correct a flaw in the Windows Installer that would allow a malicious user with local access to delete any file using elevated SYSTEM privileges. On November 22, the original researcher, Abdelhamid Naceri, who reported the vulnerability, released a proof-of-concept (PoC) on github (https://github.com/klinix5/InstallerFileTakeOver) that demonstrates how Microsoft's patch was insufficient for fully correcting the issue and that it can still be used on patched systems. Additionally, Microsoft claims, "An attacker would only be able to delete targeted files on a system. They would not gain privileges to view or modify file contents;" however, additional research by Naceri and Cisco Talos (https://blog.talosintelligence.com/2021/11/attackers-exploiting-zero-day.html) suggests that this vulnerability could be used to get full SYSTEM-level privileges on a system. The updated PoC demonstrates how a malicious user could leverage the discretionary access control list (DACL) for Microsoft Edge Elevation Service to replace any executable file on a system with an MSI that would allow the attacker to execute code with elevated privileges.

Since the publication of the PoC, several malware samples have been observed attempting to exploit CVE-2021-41379. The CRU pushed out an event notification last week that specifically looks for the "test pkg" MSI installer used in the PoC while we continued to investigate new information regarding this exploit. The Event Notifications "[CRU][Windows] LPE InstallerFileTakeOver PoC CVE-2021-41379" will trigger specifically if anyone attempts to run the PoC published by Naceri. Since then, the CRU has done additional research and published three more Event Notifications to the CRU Collection in the Perch app that should trigger when someone attempts to exploit this vulnerability.

The three new Event Notifications published this week are:
[CRU][Windows] Windows Installer EoP 0day elevation_service.exe File Creation

[CRU][Windows] Windows Installer EoP 0day Post-CommandLine Process

[CRU][Windows] Windows Installer EoP 0day Process Creation

Kimsuky Group – HVNC Backdoor

Kimsuky Group(https://attack.mitre.org/groups/G0094/) is a North Korean APT focused on cyber espionage that's been around since 2012. While they initially focused on South Korean targets, they have since expanded to the United States, Russia, Europe, and the UN. Recent intelligence shows us that Kimsuky has begun using AppleSeed (https://malpedia.caad.fkie.fraunhofer.de/details/win.appleseed), backdoor remote control malware that Kimsuky has been using since this summer, to install a VNC client. VNC is a common light-weight graphical remote admin protocol similar to RDP. Earlier this week, the CRU pushed out several new IDS signatures that should detect the specific Kimsuky VNC client: 

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"[ConnectWise CRU] HVNC Backdoor Connection Check (AVE_MARIA)"; flow:established, to_server; stream_size: client, =, 11; stream_size: server, =, 1; dsize: 10; content:"AVE_MARIA"; depth: 9; reference: url, app.any.run/tasks/48ad8f56-2255-47bf-a988-e0602c11f4b0; classtype:trojan-activity; sid:900511; rev:1; metadata: created_at 2021_11_29, updated_at 2021_11_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"[ConnectWise CRU] Kimsuky HVNC Backdoor Connection Check (LIGHT'S)"; flow:established, to_server; stream_size: client, =, 11; stream_size: server, =, 1; dsize: 8; content: "LIGHT'S"; depth: 7; classtype:trojan-activity; sid:900512; rev:1; metadata: created_at 2021_11_29, updated_at 2021_11_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"[ConnectWise CRU] Kimsuky HVNC Backdoor Connection Check (LIGHT'S)"; flow:established, to_server; content:"LIGHT'S"; depth:7; classtype:trojan-activity; sid:900513; rev:1; metadata: created_at 2021_11_29, updated_at 2021_11_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[ConnectWise CRU] Kimsuky HVNC Backdoor Connection Check (LIGHT'S BOMB)"; flow:established, to_server; stream_size: client, =, 11; stream_size: server, =, 1; dsize: 13; content: "LIGHT'S BOMB"; depth: 12; classtype:trojan-activity; sid:900514; rev:1; metadata: created_at 2021_11_29, updated_at 2021_11_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[ConnectWise CRU] Kimsuky HVNC Backdoor Connection Check (LIGHT'S BOMB)"; flow:established, to_server; content:"LIGHT'S BOMB"; depth:12; classtype:trojan-activity; sid:900515; rev:1; metadata: created_at 2021_11_29, updated_at 2021_11_29;)

 

If you are a Perch IDS customer, all these signatures have already been pushed out to your sensors. If you are a Perch IDS customer, the Event Notifications for CVE-2021-41379 are part of the CRU collection in the Perch Marketplace (https://perch.help/marketplace/marketplace/).

References

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-41379

https://www.zerodayinitiative.com/advisories/ZDI-21-1308/

https://blog.talosintelligence.com/2021/11/attackers-exploiting-zero-day.html

https://attack.mitre.org/groups/G0094/