[ad_1]
Windows 10 and Windows 11 are vulnerable to a local elevation of privilege vulnerability after discovering that users with low privileges can access sensitive files in the registry database.
The Windows registry serves as a configuration repository for the Windows operating system and contains hashed passwords, user customizations, configuration options for applications, system decryption keys, and more.
The database files associated with the Windows registry are stored in the C: Windows system32 config folder and are divided into different files such as SYSTEM, SECURITY, SAM, DEFAULT and SOFTWARE.
Because these files contain sensitive information about all user accounts on a device and security tokens used by Windows features, they should not be viewed by normal users without elevated privileges.
This is especially true for the Security Account Manager (SAM) file because it contains hashed passwords for all users on a system, which malicious actors can use to assume their identity.
SAM file can be read by anyone
Yesterday, security researcher Jonas Lykkegaard told BleepingComputer that he discovered that the Windows 10 and Windows 11 registry files associated with the Security Account Manager (SAM) and all other registry databases were accessible to the “Users” group which has low privileges on a device.
These low permissions have been confirmed by BleepingComputer on a fully patched Windows 10 20H2 device as shown below.
With these low file permissions, a malicious actor with limited privileges on a device can extract NTLM hashed passwords for all accounts on a device and use these hashes in pass-the-hash attacks to gain elevated privileges.
Because registry files, such as the SAM file, are still in use by the operating system, when you try to access the file, you receive an access violation because the files are opened and locked by another program.
However, since registry files, including SAM, are typically backed up by Shadow Copies of Windows Volumes, Lykkegaard states that you can access files through Shadow Volumes without access violation.
For example, malicious actors can use the following Win32 device namespace path for volume shadow copies below to access the SAM file by any user on the computer.
\?GLOBALROOTDeviceHarddiskVolumeShadowCopy1WindowsSystem32configSAMUsing these weak and incorrect file permissions along with shadow volume copies of the files, security researcher and creator of Mimikatz Benjamin Delpy told BleepingComputer that you can easily steal NTLM hashed password from elevated account to gain higher privileges.
This attack is illustrated in the video below created by Delpy and shared with BleepingComputer which shows Mimikatz using an NTLM hash to gain debugging privileges.
In addition to stealing NTLM hashes and elevating privileges, Delpy told BleepingComputer that this low privilege access could allow other attacks, such as Silver Ticket attacks.
It is not known why Microsoft changed the permissions on the registry to allow regular users to read files.
however, Will Dormann, vulnerability analyst for CERT / CC and author SANS Jeff McJunkin, said Microsoft introduced permission changes in Windows 10 1809.
Oddly, Dormann said that when installing a new version of Windows 10 20H2 from June, free permissions were not present.
Therefore, it is not clear whether Microsoft fixed the permission issue during a clean install of Windows but did not resolve it when upgrading to new versions.
BleepingComputer has contacted Microsoft for more information but has not had a response yet.
[ad_2]
Source link