{"vuid":"VU#506989","idnumber":"506989","name":"Microsoft Windows 10 gives unprivileged user access to system32\\config files","keywords":null,"overview":"### Overview\r\n\r\nMultiple versions of Windows 10 grant non-administrative users read access to files in the `%windir%\\system32\\config` directory. This can allow for local privilege escalation (LPE).\r\n\r\n### Description\r\n\r\nWith multiple versions of Windows 10, the `BUILTIN\\Users` group is given `RX` permissions to files in the `%windir%\\system32\\config` directory.\r\n\r\nIf a VSS shadow copy of the system drive is available, a non-privileged user may leverage access to these files to achieve a number of impacts, including but not limited to:\r\n\r\n* Extract and leverage account password hashes.\r\n* Discover the original Windows installation password.\r\n* Obtain DPAPI computer keys, which can be used to decrypt all computer private keys.\r\n* Obtain a computer machine account, which can be used in a [silver ticket attack](https://www.sans.org/blog/kerberos-in-the-crosshairs-golden-tickets-silver-tickets-mitm-and-more/).\r\n\r\nNote that VSS shadow copies may not be available in some configurations, however simply having a system drive that is larger that 128GB in size and then performing a Windows Update or installing an MSI will ensure that a VSS shadow copy will be [automatically created](https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/system-restore-points-disabled#more-information). To check if a system has VSS shadow copies available, run the following command from a privileged command prompt:\r\n\r\n`vssadmin list shadows`\r\n\r\nA system with VSS shadow copies will report details of at least one shadow copy that specifies `Original Volume: (C:)`, such as the following:\r\n\r\n```\r\nvssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool\r\n(C) Copyright 2001-2013 Microsoft Corp.\r\n\r\nContents of shadow copy set ID: {d9e0503a-bafa-4255-bfc5-b781cb27737e}\r\n   Contained 1 shadow copies at creation time: 7/19/2021 10:29:49 PM\r\n      Shadow Copy ID: {b7f4115b-4242-4e13-84c0-869524965718}\r\n         Original Volume: (C:)\\\\?\\Volume{4c1bc45e-359f-4517-88e4-e985330f72e9}\\\r\n         Shadow Copy Volume: \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\r\n         Originating Machine: DESKTOP-PAPIHMA\r\n         Service Machine: DESKTOP-PAPIHMA\r\n         Provider: 'Microsoft Software Shadow Copy provider 1.0'\r\n         Type: ClientAccessibleWriters\r\n         Attributes: Persistent, Client-accessible, No auto release, Differential, Auto recovered\r\n```\r\n\r\nA system **without** VSS shadow copies will produce output like the following:\r\n\r\n```\r\nvssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool\r\n(C) Copyright 2001-2013 Microsoft Corp.\r\n\r\nNo items found that satisfy the query.\r\n```\r\n\r\nTo check if a system is vulnerable, the following command can be used from a non-privileged command prompt:\r\n`icacls %windir%\\system32\\config\\sam`\r\n\r\nA vulnerable system will report `BUILTIN\\Users:(I)(RX)` in the output like this:\r\n```\r\n\r\nC:\\Windows\\system32\\config\\sam BUILTIN\\Administrators:(I)(F)\r\n                               NT AUTHORITY\\SYSTEM:(I)(F)\r\n                               BUILTIN\\Users:(I)(RX)\r\n                               APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(I)(RX)\r\n                               APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)\r\n\r\nSuccessfully processed 1 files; Failed processing 0 files\r\n```\r\n\r\nA system that is not vulnerable will report output like this:\r\n\r\n```\r\nC:\\Windows\\system32\\config\\sam: Access is denied.\r\nSuccessfully processed 0 files; Failed processing 1 files\r\n```\r\n\r\nThis vulnerability has been publicly referred to as both HiveNightmare and SeriousSAM, while Microsoft has assigned CVE-2021-36934 to the vulnerability.\r\n\r\n### Impact\r\nBy accessing files in the Windows `%windir%\\system32\\config` directory on a vulnerable system with at least one VSS shadow copy of the system drive, a local authenticated attacker may be able to achieve LPE, masquerade as other users, or achieve other security-related impacts.\r\n\r\n### Solution\r\nPlease see the [Microsoft bulletin for CVE-2021-36934](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934), which contains a workaround. Specifically:\r\n\r\n#### Restrict access to %windir%\\system32\\config and remove VSS shadow copies\r\n\r\nVulnerable systems can enable ACL inheritance for files in the `%windir%\\system32\\config` directory by running the following command from an elevated prompt:\r\n\r\n```\r\nicacls %windir%\\system32\\config\\*.* /inheritance:e\r\n```\r\n\r\nOnce the ACLs have been corrected for these files, any VSS shadow copies of the system drive must be deleted to protect a system against exploitation. This can be accomplished with the following command:\r\n\r\n```\r\nvssadmin delete shadows /for=%systemdrive% /Quiet\r\n```\r\n\r\nConfirm that VSS shadow copies were deleted by running `vssadmin list shadows` again. Note that any capabilities relying on existing shadow copies, such as System Restore, will not function as expected. Newly-created shadow copies, which will contain the proper ACLs, will function as expected. Please see [KB5005357](https://support.microsoft.com/en-us/topic/kb5005357-delete-volume-shadow-copies-1ceaa637-aaa3-4b58-a48b-baf72a2fa9e7) for more details.\r\n\r\n### Acknowledgements\r\nThis vulnerability was publicly disclosed by Jonas Lyk, with additional details provided by Benjamin Delpy.\r\n\r\nThis document was written by Will Dormann.","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934","https://support.microsoft.com/en-us/topic/kb5005357-delete-volume-shadow-copies-1ceaa637-aaa3-4b58-a48b-baf72a2fa9e7","https://twitter.com/jonasLyk/status/1417205166172950531","https://twitter.com/gentilkiwi/status/1417467063883476992","https://www.sans.org/blog/kerberos-in-the-crosshairs-golden-tickets-silver-tickets-mitm-and-more/","https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/system-restore-points-disabled#more-information","https://doublepulsar.com/hivenightmare-aka-serioussam-anybody-can-read-the-registry-in-windows-10-7a871c465fa5"],"cveids":["CVE-2021-36934"],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2021-07-20T16:48:31.399604Z","publicdate":"2021-07-20T16:48:31.185957Z","datefirstpublished":"2021-07-20T16:48:31.420984Z","dateupdated":"2021-07-29T16:29:54.009318Z","revision":11,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":49}