New Vulnerability in Windows 10 Allows Admin Hijacking

The Windows Registry serves as a configuration store for the Windows operating system and contains hashed passwords, user customizations, configuration options for applications, system decryption keys, and more.

The database files associated with the Windows Registry are stored in the C:Windowssystem32config folder and are divided into different files such as SYSTEM, SECURITY, SAM, DEFAULT, and SOFTWARE.

Because these files contain sensitive information about all user accounts on the device and security tokens used by Windows features, users without elevated privileges will not be able to access them.

This is especially true for Security Account Manager (SAM) because it contains hashed passwords for all users on a system, which threat actors can use to assume their identities.

On July 21, Bleeping Computer quoted security researcher Jonas Lykkegaard as saying that he discovered that the Windows 10 and Windows 11 Registry files associated with SAM, and all Registry databases, can be can access the low-privileged User group on the device.

These low permissions have been confirmed by BleepingComputer on a fully patched Windows 10 20H2 computer, as shown below.

With low-level file permissions, a threat actor with limited privileges on the device can extract NTLM hashed passwords for all accounts on the device and use those hashes in attacks. pass-the-hash public to gain elevated privileges.

Since Registry files, such as SAM files, are always used by the operating system, when you try to access the file, you will get an access violation error because the file is open and locked by another program.

However, according to Lykkegaard, since Registry files, including SAM, are often backed up with Shadows Copy, you can access the file through the Shadow Volume without violating access rights.

For example, threat actors can use the following path for Shadow Volume to access the SAM file from any user on the computer.

?GLOBALROOTDeviceHarddiskVolumeShadowCopy1WindowsSystem32configSAM

According to security researcher Benjamin Delpy, you can easily steal an admin account's NTLM hashed password to gain higher privileges.

In addition to stealing NTLM hashes and privilege upgrades, Delpy said this low-privileged access could enable further attacks, such as Silver Ticket attacks.

It is not clear why Microsoft changed permissions on the Registry to allow ordinary users to read files. However, Will Dormann, a CERT/CC vulnerability analyst, and Jeff McJunkin, author of SANS, say Microsoft introduced these permission changes in Windows 10 1809.

In a security advisory published today, Microsoft confirmed the vulnerability and attached the tracking code CVE-2021-36934.

"We are investigating and will take appropriate action to protect our customers," Microsoft said.

Micah Soto

Update 21 July 2021