New Vulnerability in Windows 10 Allows Admin Hijacking
The Windows Registry serves as a configuration store for the Windows operating system and contains hashed passwords, user customizations, configuration options for applications, system decryption keys, and more.
The database files associated with the Windows Registry are stored in the C:Windowssystem32config folder and are divided into different files such as SYSTEM, SECURITY, SAM, DEFAULT, and SOFTWARE.
Because these files contain sensitive information about all user accounts on the device and security tokens used by Windows features, users without elevated privileges will not be able to access them.
This is especially true for Security Account Manager (SAM) because it contains hashed passwords for all users on a system, which threat actors can use to assume their identities.
On July 21, Bleeping Computer quoted security researcher Jonas Lykkegaard as saying that he discovered that the Windows 10 and Windows 11 Registry files associated with SAM, and all Registry databases, can be can access the low-privileged User group on the device.
These low permissions have been confirmed by BleepingComputer on a fully patched Windows 10 20H2 computer, as shown below.
With low-level file permissions, a threat actor with limited privileges on the device can extract NTLM hashed passwords for all accounts on the device and use those hashes in attacks. pass-the-hash public to gain elevated privileges.
Since Registry files, such as SAM files, are always used by the operating system, when you try to access the file, you will get an access violation error because the file is open and locked by another program.
However, according to Lykkegaard, since Registry files, including SAM, are often backed up with Shadows Copy, you can access the file through the Shadow Volume without violating access rights.
For example, threat actors can use the following path for Shadow Volume to access the SAM file from any user on the computer.
?GLOBALROOTDeviceHarddiskVolumeShadowCopy1WindowsSystem32configSAM
According to security researcher Benjamin Delpy, you can easily steal an admin account's NTLM hashed password to gain higher privileges.
In addition to stealing NTLM hashes and privilege upgrades, Delpy said this low-privileged access could enable further attacks, such as Silver Ticket attacks.
It is not clear why Microsoft changed permissions on the Registry to allow ordinary users to read files. However, Will Dormann, a CERT/CC vulnerability analyst, and Jeff McJunkin, author of SANS, say Microsoft introduced these permission changes in Windows 10 1809.
In a security advisory published today, Microsoft confirmed the vulnerability and attached the tracking code CVE-2021-36934.
"We are investigating and will take appropriate action to protect our customers," Microsoft said.
You should read it
- Learn about the Windows Registry - Part I
- 50 Registry tricks to help you become a true Windows 7 / Vista 'hacker' (Part 1)
- Block access to Registry Editor on Windows 10/8/7
- How to Make and Restore a Backup of the Windows Registry
- How to Get Into a Computer Registry
- Use the .reg file to configure the Registry in WinXP
- 36 best free registry cleaning software 2018
- How to disable Windows Registry on Windows 10
- How to export the Registry key in Windows
- How to fix a corrupted Registry on Windows 10
- What is Registry Hive?
- How to re-enable Registry backup on Windows 10
Maybe you are interested
How to Enable and Disable Tabs in File Explorer on Windows 11
5 macOS Sequoia Features Not Available on Windows 11
Why does Windows operating system have such a bad reputation?
Quickly fix Unmountable Boot Volume error on Windows 10/11
15 safe software and application download websites for Windows
How to Fix Clipboard History Error in Windows 11 Latest Update