Security Alert New Windows 10 vulnerability allows anyone to get admin privileges

Gandalf_The_Grey

Level 48
Verified
Trusted
Content Creator
Apr 24, 2016
3,761
From that article:
It is unclear why Microsoft changed the permissions on the Registry to allow regular users to read the files.

However, Will Dormann, a vulnerability analyst for CERT/CC, and SANS author Jeff McJunkin, said Microsoft introduced the permission changes in Windows 10 1809.

Strangely, Dormann stated that when installing a fresh version of Windows 10 20H2 from June, the loose permissions were not present.

Therefore, it is not clear if Microsoft fixed the permission issue when performing a clean installation of Windows but did not fix it when upgrading to new versions.

BleepingComputer has reached out to Microsoft for more information but has not heard back at this time.
 

Andy Ful

Level 71
Verified
Trusted
Content Creator
Dec 23, 2014
6,017
That is not correct. The attack is based on the "Pass-the-Hash" method:
A Pass-the-Hash (PtH) attack is a technique whereby an attacker captures a password hash (as opposed to the password characters) and then simply passes it through for authentication and potentially lateral access to other networked systems.
So, it is relevant to the business networks and not to the Home environment. PtH exploits Single Sign-On (SS0) through NT Lan Manager (NTLM), Kerberos, and other authentication protocols.
 
Last edited:

Terry Ganzi

Level 26
Verified
Feb 7, 2014
1,541
While Microsoft has published CVE-2021-36934 about this issue, the CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workaround:
Restrict access to sam, system, and security files and remove VSS shadow copies

Vulnerable systems can remove the Users ACL to read these sensitive files by executing the following commands:

icacls %windir%\system32\config\sam /remove "Users"
icacls %windir%\system32\config\security /remove "Users"
icacls %windir%\system32\config\system
 

Gandalf_The_Grey

Level 48
Verified
Trusted
Content Creator
Apr 24, 2016
3,761
Windows 10 more vulnerable – revisited
I asked the other day if Windows 10 was more vulnerable. Turns out we have another problem with Windows 10 – and Windows 11 for that matter.

CVE-2021-36934 has been released to track an issue that a researcher has stumbled on … and it’s honestly been around for a while. Starting with Windows 10 1809 and later, the default permissions on the “Security accounts manager database” (also known as SAM database) aren’t set right and if you are a non administrator user where you shouldn’t have the ability to access that file, in Windows 10 1809 and later you DO have rights to that file.

While on consumer and home computers this isn’t a huge issue, in businesses where keeping ransomware at bay is near impossible these days, it’s not a good thing at all.

Bleeping computer explains the situation…. “With these low file permissions, a threat actor with limited privileges on a device can extract the NTLM hashed passwords for all accounts on a device and use those hashes in pass-the-hash attacks to gain elevated privileges.”

The SANS site tells how specifically this vulnerability takes place….“The only issue here is how do we read those files: when Windows are running, the access to the files is locked and even though we have read permission, we won’t be able to read them. As two great researchers found (@jonasLyk and @gentilkiwi), we can actually abuse Volume Shadow Copy to read the files. VSS will allow us to bypass the file being locked, and since we have legitimate read access, there’s nothing preventing us from reading the file. VSS is a feature that is enabled automatically on Windows and that allows us to restore previous copies in case something got messed up during installation of a new application or patch, for example. If your system disk is greater than 128 GB, it will be enabled automatically!”

Action items to take as a consumer: Nothing. The potential mitigation “apart from disabling/removing VSS copies. Keep in mind that the permission on the hives will still be wrong, but at least a non-privileged user will not be able to easily fetch these files due to them being locked by Windows as the system is running.” to me is not viable and puts your system at risk for not being able to use previous versions tab, backups and other goodness. I’d rather not change any permissions because given that this has been in place since 1809, software may be expecting these permissions. I’ll let you know when a patch or fix comes out, or a mitigation that I consider safe.

Actions to take as an IT Pro or MSP: Also nothing at this time. Again, I consider VSS copies too important to disable.
 

Andy Ful

Level 71
Verified
Trusted
Content Creator
Dec 23, 2014
6,017
Although this vulnerability does not allow the attacker to get higher privileges in the Home environment, the fact of the Read access to SAM database is not good for the Home users too. Most NTLM hashes can be easily cracked by using some known tools (they use precomputed tables of hashes related to password wordlists).
Anyway, It seems that Microsoft accounts are not vulnerable.

Edit.
The Home users who created untypical login passwords can sleep soundly too. The vulnerability is so dangerous for Enterprises that it will be patched by Microsoft soon.
 
Last edited:
Top