This privilege escalation vulnerability utilises the Microsoft Edge Elevation Service to replace any executable file found on the system enabling malicious code to be run. The poc released by the researcher includes code that escalates the user directly to SYSTEM. Microsoft originally patched the vulnerability but did not fully patch the underlying issue which allowed for a second and more powerful version to be released. The exploit currently works on all versions of windows including Windows 11 and Server 2022. When the executable is run a new command prompt is open as SYSTEM. That simple. The executable and source code be downloaded from:
https://github.com/klinix5/InstallerFileTakeOver
Proof of concept:
System: Microsoft Windows 10 Enterprise
Version: 10.0.19041 N/A Build 19041