New Windows 10 vulnerability allows anyone to get admin privileges

guest · Jul 20, 2021

New Windows 10 vulnerability allows anyone to get admin privileges
July 20, 2021
https://www.bleepingcomputer.com/ne...bility-allows-anyone-to-get-admin-privileges/

Windows 10 and Windows 11 are vulnerable to a local elevation of privilege vulnerability after discovering that users with low privileges can access sensitive Registry database files.
This is especially true for the Security Account Manager (SAM) file as it contains the hashed passwords for all users on a system, which threat actors can use to assume their identity.
SAM file can be read by anyone
Yesterday, security researcher Jonas Lykkegaard told BleepingComputer he discovered that the Windows 10 and Windows 11 Registry files associated with the Security Account Manager (SAM), and all other Registry databases, are accessible to the 'Users' group that has low privileges on a device.

These low permissions were confirmed by BleepingComputer on a fully patched Windows 10 20H2 device, as shown below.
Click to expand...

In addition to stealing NTLM hashes and elevating privileges, Delpy told BleepingComputer that this low privileged access could allow for further attacks, such as Silver Ticket attacks.
It is unclear why Microsoft changed the permissions on the Registry to allow regular users to read the files.

However, Will Dormann, a vulnerability analyst for CERT/CC, and SANS author Jeff McJunkin, said Microsoft introduced the permission changes in Windows 10 1809.
Click to expand...

guest · Jul 20, 2021

Microsoft Windows 10 gives unprivileged user access to SAM, SYSTEM, and SECURITY files
Vulnerability Note VU#506989
July 20, 2021
https://kb.cert.org/vuls/id/506989

Overview
Starting with Windows 10 build 1809, non-administrative users are granted access to SAM, SYSTEM, and SECURITY files. This can allow for local privilege escalation (LPE).
Description
Starting with Windows 10 build 1809, the BUILTIN\Users group is given RX permissions to the following files:

c:\Windows\System32\config\sam
c:\Windows\System32\config\system
c:\Windows\System32\config\security

If a VSS shadow copy of the system drive is available, a non-privileged user may leverage access to these files to achieve a number of impacts [...]
Click to expand...

Impact
By accessing a Windows 10 system's sam, system, and security files on a vulnerable system with at least one VSS shadow copy of the system drive, a local authenticated attacker may be able to achieve LPE, masquerade as other users, or achieve other security-related impacts.
Solution
The CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workaround:
Click to expand...

Restrict access to sam, system, and security files and remove VSS shadow copies
Vulnerable systems can remove the Users ACL to read these sensitive files by executing the following commands:

icacls %windir%\system32\config\sam /remove "Users"
icacls %windir%\system32\config\security /remove "Users"
icacls %windir%\system32\config\system /remove "Users"

Confirm that VSS shadow copies were deleted by running vssadmin list shadows again. Note that any capabilities relying on existing shadow copies, such as System Restore, will not function as expected. Newly-created shadow copies, which will contain the proper ACLs, will function as expected.
Click to expand...

itman · Jul 20, 2021

Just a word of warning here.

Although somewhat obvious, this mitigation will delete all your OS restore points. So after performing the mitigation, my advice is to create a restore point in case you need to do a system restore.

BTW - the mitigation works. You will get access denied if trying to access shadow copy files when running under default limited admin account.

Krusty · Jul 20, 2021

Would this mitigation interfere with MR backups?

Azure Phoenix · Jul 20, 2021

Andy replied to this (https://malwaretips.com/threads/new...ne-to-get-admin-privileges.109198/post-951912)

> New Windows 10 vulnerability allows anyone to get admin privileges

“That is not correct. The attack is based on the "Pass-the-Hash" method:

A Pass-the-Hash (PtH) attack is a technique whereby an attacker captures a password hash (as opposed to the password characters) and then simply passes it through for authentication and potentially lateral access to other networked systems.

So, it is relevant to the business networks and not to the Home environment. PtH exploits Single Sign-On (SS0) through NT Lan Manager (NTLM), Kerberos, and other authentication protocols.”

EASTER · Jul 20, 2021

Azure Phoenix said: ↑

Andy replied to this (https://malwaretips.com/threads/new...ne-to-get-admin-privileges.109198/post-951912)

> New Windows 10 vulnerability allows anyone to get admin privileges

“That is not correct. The attack is based on the "Pass-the-Hash" method:

A Pass-the-Hash (PtH) attack is a technique whereby an attacker captures a password hash (as opposed to the password characters) and then simply passes it through for authentication and potentially lateral access to other networked systems.

So, it is relevant to the business networks and not to the Home environment. PtH exploits Single Sign-On (SS0) through NT Lan Manager (NTLM), Kerberos, and other authentication protocols.”
Click to expand...

Great informative explanation @Azure Phoenix Appreciate you taking the time to share.

Buddel · Jul 21, 2021

Thank you very much for the useful info, @Azure Phoenix .

guest · Jul 21, 2021

mood said: ↑

New Windows 10 vulnerability allows anyone to get admin privileges
July 20, 2021
https://www.bleepingcomputer.com/ne...bility-allows-anyone-to-get-admin-privileges/
Click to expand...

Updated:

Update 7/20/21 7:15 PM EST: Added Microsoft's statement and the link to the advisory.
In a security advisory released today, Microsoft has confirmed the vulnerability and is now tracking it as CVE-2021-36934.

"We are investigating and will take appropriate action as needed to help keep customers protected," Microsoft told BleepingComputer.
In the advisory, Microsoft has shared mitigations that restrict the permissions on the C:\Windows\system32\config folder.

To block exploitation of this vulnerability temporarily you need to take the following steps:
Click to expand...

Restrict access to the contents of %windir%\system32\config:

Open Command Prompt or Windows PowerShell as an administrator.

Run this command: icacls %windir%\system32\config\*.* /inheritance:e

Delete Volume Shadow Copy Service (VSS) shadow copies:

Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config.

Create a new System Restore point (if desired).

Click to expand...

Microsoft provides workaround for HiveNightmare registry vulnerability that affects Windows 10 and 11
July 21, 2021
https://www.neowin.net/news/microso...vulnerability-that-affects-windows-10-and-11/

Microsoft earlier today released a temporary workaround solution for systems that are vulnerable to the newly found HiveNightmare security flaw. The vulnerability was discovered by Twitter user 'Jonas L' and also verified by another user '@GossiTheDog' who noticed that the Windows Security Account Manager (SAM) database - that contains all important passwords and keys - was now apparently accessible by non-admin users. This is why the new flaw is called SeriousSAM or HiveNightmare as it gives an attacker access to SAM, SYSTEM, and SECURITY registry hive files.
Click to expand...

waking · Jul 22, 2021

Interesting exercises for the technically inclined in this blog from Sophos:

Windows “HiveNightmare” bug could leak passwords – here’s what to do!

https://nakedsecurity.sophos.com/2021/07/21/windows-hivenightmare-bug-could-leak-passwords-heres-what-to-do/

lucd · Aug 11, 2021

I got vulenrability OK so
I did in cmd (which "fixes" the vulnarbility)
icacls %windir%\system32\config\*.* /inheritance:e

this one is redundant
icacls %windir%\system32\config\sam /remove "Users"
icacls %windir%\system32\config\security /remove "Users"
icacls %windir%\system32\config\system /remove "Users"

but you need to delete shadow copies
vssadmin delete shadows /for=c: /Quiet
vssadmin.exe Delete Shadows /All /Quiet (for all volumes)
vssadmin list shadows

itman · Aug 11, 2021

Appears to me this vulnerability has been patched:

lucd · Aug 11, 2021

I still have update from 08.07 maybe that's why, I checked and was vulnerable
there is an update from 08.09 for 21h1 windows 10

the VSS is potentially dangeours, I've read that malware might hide there as it is not often scanned: the VSS snapshots potential in hiding data or other malicious stuff
unfortunately macrium reflect uses VSS

you can use WMIC method that does not rely on vssadmin if you use OS default backup
WMIC can also do backup routine

EASTER · Aug 11, 2021

itman said: ↑

Appears to me this vulnerability has been patched:

View attachment 270123
Click to expand...

That might or might not be. It's a Micro bug vulnerability. One of million others not yet discovered no doubt.
As it isn't bad enough their forced overusage of Telemetry nuisance on Windows 10

guest · Dec 6, 2021

Unpatched Windows Zero-Day Allows Privileged File Access
...using the LPE exploitation approach for the HiveNightmare/SeriousSAM bug
November 29, 2021

An unpatched Windows security vulnerability could allow information disclosure and local privilege escalation (LPE), researchers have warned. The issue (CVE-2021-24084) has yet to get an official fix, making it a zero-day bug – but a micropatch has been rolled out as a stop-gap measure.

Security researcher Abdelhamid Naceri originally reported the vulnerability as an information-disclosure issue in October 2020, via Trend Micro’s Zero-Day Initiative (ZDI). Though Microsoft had told him it was planning a fix for last April, the patch has not yet been forthcoming.
Click to expand...

Then, this month, Naceri discovered that CVE-2021-24084 could also be exploited for LPE, so that non-admin Windows users can read arbitrary files even if they do not have permissions to do so. In a proof-of-concept exploit, he demonstrated that it’s possible to copy files from a chosen location into a Cabinet (.CAB) archive that the user can then open and read.

The process for doing so is very similar to the LPE exploitation approach for the HiveNightmare bug, CVE-2021-36934, which affects the Security Accounts Manager (SAM) database in all versions of Windows 10.

“As HiveNightmare/SeriousSAM has taught us, an arbitrary file disclosure can be upgraded to local privilege escalation if you know which files to take and what to do with them,” Mitja Kolsek, head of the 0patch team, noted in a recent posting. “We confirmed this [for the zero-day and were] able to run code as local administrator.”
Click to expand...

There are two pre-requisites for achieving LPE, Kolsek noted.

“System protection must be enabled on drive C, and at least one restore point created. Whether system protection is enabled or disabled by default depends on various parameters,” he said. And, “at least one local administrator account must be enabled on the computer, or at least one ‘administrators’ group member’s credentials cached.”
Click to expand...

Windows Servers are not affected, and neither are Windows 11, Windows 10 v1803 and older Windows 10 versions.
Click to expand...

Log in or Sign up

New Windows 10 vulnerability allows anyone to get admin privileges

guest Guest

guest Guest

itman Registered Member

Krusty Registered Member

Azure Phoenix Registered Member

EASTER Registered Member

Buddel Registered Member

guest Guest

waking Registered Member

lucd Registered Member

itman Registered Member

lucd Registered Member

EASTER Registered Member

guest Guest

Log in or Sign up

New Windows 10 vulnerability allows anyone to get admin privileges

guest Guest

guest Guest

itman Registered Member

Krusty Registered Member

Azure Phoenix Registered Member

EASTER Registered Member

Buddel Registered Member

guest Guest

waking Registered Member

lucd Registered Member

itman Registered Member

lucd Registered Member

EASTER Registered Member

guest Guest

Useful Searches