New Windows 10 vulnerability allows anyone to get admin privileges

Discussion in 'other security issues & news' started by mood, Jul 20, 2021.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    39,345
    New Windows 10 vulnerability allows anyone to get admin privileges
    July 20, 2021
    https://www.bleepingcomputer.com/ne...bility-allows-anyone-to-get-admin-privileges/
     
  2. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    39,345
    Microsoft Windows 10 gives unprivileged user access to SAM, SYSTEM, and SECURITY files
    Vulnerability Note VU#506989
    July 20, 2021

    https://kb.cert.org/vuls/id/506989
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,394
    Location:
    U.S.A.
    Just a word of warning here.

    Although somewhat obvious, this mitigation will delete all your OS restore points. So after performing the mitigation, my advice is to create a restore point in case you need to do a system restore.

    BTW - the mitigation works. You will get access denied if trying to access shadow copy files when running under default limited admin account.
     
  4. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,901
    Location:
    Among the gum trees
    Would this mitigation interfere with MR backups?
     
  5. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,310
    Andy replied to this (https://malwaretips.com/threads/new...ne-to-get-admin-privileges.109198/post-951912)

    > New Windows 10 vulnerability allows anyone to get admin privileges

    “That is not correct. The attack is based on the "Pass-the-Hash" method:

    A Pass-the-Hash (PtH) attack is a technique whereby an attacker captures a password hash (as opposed to the password characters) and then simply passes it through for authentication and potentially lateral access to other networked systems.

    So, it is relevant to the business networks and not to the Home environment. PtH exploits Single Sign-On (SS0) through NT Lan Manager (NTLM), Kerberos, and other authentication protocols.”
     
  6. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,593
    Location:
    U.S.A. (South)
    Great informative explanation @Azure Phoenix Appreciate you taking the time to share.
     
  7. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,572
  8. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    39,345
    Updated:
    Microsoft provides workaround for HiveNightmare registry vulnerability that affects Windows 10 and 11
    July 21, 2021
    https://www.neowin.net/news/microso...vulnerability-that-affects-windows-10-and-11/
     
  9. waking

    waking Registered Member

    Joined:
    Jan 25, 2016
    Posts:
    84
    Interesting exercises for the technically inclined in this blog from Sophos:

    Windows “HiveNightmare” bug could leak passwords – here’s what to do!

    https://nakedsecurity.sophos.com/2021/07/21/windows-hivenightmare-bug-could-leak-passwords-heres-what-to-do/
     
  10. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    640
    Location:
    Island of Woman
    I got vulenrability OK so
    I did in cmd (which "fixes" the vulnarbility)
    icacls %windir%\system32\config\*.* /inheritance:e


    this one is redundant
    icacls %windir%\system32\config\sam /remove "Users"
    icacls %windir%\system32\config\security /remove "Users"
    icacls %windir%\system32\config\system /remove "Users"

    but you need to delete shadow copies
    vssadmin delete shadows /for=c: /Quiet
    vssadmin.exe Delete Shadows /All /Quiet (for all volumes)
    vssadmin list shadows
     
    Last edited: Aug 11, 2021
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,394
    Location:
    U.S.A.
    Appears to me this vulnerability has been patched:

    Win_icacls.png
     
  12. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    640
    Location:
    Island of Woman
    I still have update from 08.07 maybe that's why, I checked and was vulnerable
    there is an update from 08.09 for 21h1 windows 10

    the VSS is potentially dangeours, I've read that malware might hide there as it is not often scanned: the VSS snapshots potential in hiding data or other malicious stuff
    unfortunately macrium reflect uses VSS

    you can use WMIC method that does not rely on vssadmin if you use OS default backup
    WMIC can also do backup routine
     
    Last edited: Aug 11, 2021
  13. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,593
    Location:
    U.S.A. (South)
    That might or might not be. It's a Micro bug vulnerability. One of million others not yet discovered no doubt.
    As it isn't bad enough their forced overusage of Telemetry nuisance on Windows 10
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.