• Home
  • |
  • Blog
  • |
  • How To Fix “InstallerFileTakeOver” 0day LPE Vulnerability In Windows?
How to Fix “InstallerFileTakeOver” 0day LPE Vulnerability

Researcher Abdelhamid Naceri has disclosed another vulnerability that allows a local non-admin user to overwrite an existing file to which he does not have access to write. The vulnerability is not assigned a CVE at the time of writing this post. It is just identified as an “InstallerFileTakeOver” vulnerability. Unfortunately, Microsoft hasn’t released security updates to fix the “InstallerFileTakeOver” 0day Vulnerability in Windows. However, a micropatch released by Opatch could protect you from this vulnerability. Let’s see how to fix “InstallerFileTakeOver” 0day LPE (Local Privilege Elevation) vulnerability using Opatch.

Summary Of “InstallerFileTakeOver” 0day LPE Vulnerability:

The vulnerability lice in the process of RBF file creation, a file that stores the content of all deleted or modified files during the installation process. Windows Installer program creates RFB (Rollback File) file in C:\Windows\Installer\Config.msi * folder to restore all the original files later in time when a rollback is initiated. 

Later, when the Windows installer program moves the RBF file created in C:\Windows\Installer\Config.msi * folder to a known location in the user’s Temp folder, it modifies the permission to give the user write access to the files. The vulnerability allows the attacker to create a symbolic link to the RBF files and move them from C:\Windows\Installer\Config.msi folder to the user’s chosen location on the system. Since Windows Installer is running as Local System, any file writable by Local System can be overwritten and made writable by the local user. This may lead to a local privilege escalation vulnerability. Please read the full technical details here.

Prior to releasing PoC for this vulnerability, Researcher Abdelhamid Naceri has disclosed a couple of local privilege elevation vulnerabilities: CVE-2021-34484 & CVE-2021-41379, and information discloser CVE-2021-24084 vulnerability in a month of time.

Windows Affected To “InstallerFileTakeOver” 0day LPE Vulnerability:

Research says that this vulnerability affects all versions of the fully patched Windows operating system, including Windows 11 and Windows Server 2022.

Micropatch Released For The Windows Operating System:

This micropatch was released for these Windows Operating Systems: 

  1. Windows 10 v21H1 (32 & 64 bit)
  2. Windows 10 v20H2 (32 & 64 bit)
  3. Windows 10 v2004 (32 & 64 bit)
  4. Windows 10 v1909 (32 & 64 bit)
  5. Windows 10 v1903 (32 & 64 bit)
  6. Windows 10 v1809 (32 & 64 bit)
  7. Windows 10 v1803 (32 & 64 bit)
  8. Windows 10 v1709 (32 & 64 bit)
  9. Windows 7 ESU (32 & 64 bit)
  10. Windows Server 2019
  11. Windows Server 2016
  12. Windows Server 2012 R2
  13. Windows Server 2012
  14. Windows Server 2008 R2 ESU (32 & 64 bit)

How To Fix “InstallerFileTakeOver” 0day LPE Vulnerability?

Although Microsoft hasn’t released a security update to fix the Local Privilege Escalation LPE vulnerability, a micropatch is available that could protect the 0day vulnerability. Opatch said that its micropatch targets the RBF file move operation. Before move operation is initiated, Opatch micropatch checks the symbolic links, soft-links, shortcut icons, or any junctions created for the destination folder. If found, it treats such move operation as an exploitation attempt and blocks the operation. 

Created by Opatch

Opatch said that it has made the micropatch free until the official patch is available. We recommend making use of this micropatch. To use the micropatch, create a free account in 0patch Central. Download the Opatch agent from 0patch.com and install and enable it on your Windows system. Opatch agent will take care of everything else. This doesn’t need a reboot to complete this process.

Time needed: 5 minutes.

How to Fix “InstallerFileTakeOver” 0day LPE Vulnerability?

  1. Create a free account in Opatch

    Visit Optch and login if you have an account created or register using an email ID.

    Note: It’s a free registration.

    https://central.0patch.com/auth/login


    Login to Opatch for free

  2. Download free Opatch agent

    Download the Opatch agent from here: https://0patch.com/

    Download free Opatch agent

  3. Execute the Opatch agent

    You do not need to do anything big to install the patch. Launch the agent, the patch will be installed by itself.

    Install Opatch agent

  4. Accept License agreement

    Opatch agent- Accept License agreement

  5. Select installation folder

    Choose the installation path. If not keep the default.

    Opatch agent- Seclect installation path

  6. Confirm installation

    Opatch agent- Confirm installation

  7. Finish Opatch agent installation

    Finish Opatch agent installation

  8. Sign into Opatch agent

    Sign into Opatch agent

  9. Opatch dashboard

    You will start seeing the number of available updates on the dashboard upon signing in to the agent.

    Opatch dashboard

  10. Fix “InstallerFileTakeOver” 0day LPE Vulnerability

    Click on the ‘PATCH WAS APPLIED’ tiles to see the patch was applied for “InstallerFileTakeOver” 0day LPE Vulnerability.

    Fix InstallerFileTakeOver 0day LPE Vulnerability

We hope this post will help you in knowing how to fix “InstallerFileTakeOver” 0day vulnerability in Windows. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.

About the author

Arun KL

To know more about me. Follow me on LinkedIn Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.