Windows 10 and Windows 11 are vulnerable to a local elevation of privilege vulnerability after discovering that users with low privileges can access sensitive Registry database files.
The Windows Registry acts as the configuration repository for the Windows operating system and contains hashed passwords, user customizations, configuration options for applications, system decryption keys, and more.
The database files associated with the Windows Registry are stored under the C:Windowssystem32config folder and are broken up into different files such as SYSTEM, SECURITY, SAM, DEFAULT, and SOFTWARE.
As these files contain sensitive information about all user accounts on a device and security tokens used by Windows features, they should be restricted from being viewed by regular users with no elevated privileges.
This is especially true for the Security Account Manager (SAM) file as it contains the hashed passwords for all users on a system, which threat actors can use to assume their identity.
SAM file can be read by anyone
Yesterday, security researcher Jonas Lykkegaard told BleepingComputer he discovered that the Windows 10 and Windows 11 Registry files associated with the Security Account Manager (SAM), and all other Registry databases, are accessible to the ‘Users’ group that has low privileges on a device.
These low permissions were confirmed by BleepingComputer on a fully patched Windows 10 20H2 device, as shown below.
With these low file permissions, a threat actor with limited privileges on a device can extract the NTLM hashed passwords for all accounts on a device and use those hashes in pass-the-hash attacks to gain elevated privileges.
As the Registry files, such as the SAM file, are always in use by the operating system, when you attempt to access the file, you will receive an access violation as the files are open and locked by another program.
However, as the Registry files, including the SAM, are usually backed up by the Windows shadow volume copies, Lykkegaard says you can access the files through shadow volumes without an access violation.
For example, threat actors can use the following Win32 device namespace path for shadow volume copies below to access the SAM file by any user on the computer.
\?GLOBALROOTDeviceHarddiskVolumeShadowCopy1WindowsSystem32configSAM
Using these low and incorrect file permissions, along with shadow volume copies of the files, Security researcher and Mimikatz creator Benjamin Delpy has told BleepingComputer that you could easily steal an elevated account’s NTLM hashed password to gain higher privileges.
This attack is demonstrated in the video below created by Delpy and shared with BleepingComputer that shows Mimikatz using an NTLM hash to gain debug privileges.
In addition to stealing NTLM hashes and elevating privileges, Delpy told BleepingComputer that this low privileged access could allow for further attacks, such as Silver Ticket attacks.
It is unclear why Microsoft changed the permissions on the Registry to allow regular users to read the files.
However, Will Dormann, a vulnerability analyst for CERT/CC, and SANS author Jeff McJunkin, said Microsoft introduced the permission changes in Windows 10 1809.
Strangely, Dormann stated that when installing a fresh version of Windows 10 20H2 from June, the loose permissions were not present.
Therefore, it is not clear if Microsoft fixed the permission issue when performing a clean installation of Windows but did not fix it when upgrading to new versions.
BleepingComputer has reached out to Microsoft for more information but has not heard back at this time.
0 Comments