A researcher that goes by the Twitter handle @jonasLyk has unearthed an easily exploitable vulnerability (CVE-2021-36934) in Windows 10 that may allow local non-administrative users to gain administrative-level privileges.
yarh- by now its safe to say that win 10 also vulnerable.
— Jonas L (@jonasLyk) July 19, 2021
“An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have the ability to execute code on a victim system to exploit this vulnerability,” Microsoft confirmed.
The vulnerability received a CVE number and Microsoft is still investigating which Windows versions are affected and working on a fix.
At the moment, the company has advised on two temporary workarounds, which include restricting access to the contents of %windir%\system32\config, and deleting Volume Shadow Copy Service (VSS) shadow copies. CERT/CC provided helpful instructions on how to do that.
The vulnerability stems from the fact that non-administrative users can read the vulnerable host’s sam (Security Accounts Manager), system, and security Windows Registry hive files.
As noted by researcher Benjamin Delpy and CERT/CC’s Will Dorman, these files can contain hashed passwords for user accounts, the original Windows installation password, DPAPI computer keys (which can be used to decrypt all computer private keys), and more.
Q: what can you do when you have #mimikatz🥝 & some Read access on Windows system files like SYSTEM, SAM and SECURITY?
A: Local Privilege Escalation 🥳
— 🥝 Benjamin Delpy (@gentilkiwi) July 20, 2021
What happens when Microsoft accidentally gives BUILTIN\Users the ability to read the Windows 10 SAM:
Mimikatz lsadump::sam as a non-admin user, for example.
Some installs off of very-recent ISO builds are not vulnerable. But assume you are vulnerable until you prove otherwise. pic.twitter.com/GNTiSUyCgl
— Will Dormann (@wdormann) July 20, 2021
CVE-2021-36934 is exploitable only if a VSS shadow copy of the system drive is available. But, as Dormann explained, while VSS shadow copies may not be available in some configurations, “simply having a system drive that is larger that 128GB in size and then performing a Windows Update or installing an MSI will ensure that a VSS shadow copy will be automatically created.”
UPDATE (July 21, 2021, 04:00 a.m. PT):
Kevin Beaumont has released a zero-day PoC exploit for CVE-2021-36934 (aka HiveNightmare).
UPDATE (July 23, 2021, 00:45 a.m. PT):
Microsoft has updated the security advisory to note that the flaw affects various Windows 10 and Windows server versions. They also confirmed that, to mitigate the issue before a fix is release, users / administrators have to both restrict access to the contents of %windir%\system32\config and delete shadow copies to prevent exploitation of this vulnerability.