VU#506989: Microsoft Windows 10 gives unprivileged user access to SAM, SYSTEM, and SECURITY files

Vulnerability Note: VU#506989: Microsoft Windows 10 gives unprivileged user access to SAM, SYSTEM, and SECURITY files

Published: 2021-07-20  16:48:31.420984+00:00

Description: 

Overview

Starting with Windows 10 build 1809, non-administrative users are granted access to SAM, SYSTEM, and SECURITY files. This can allow for local privilege escalation (LPE).

Description

Starting with Windows 10 build 1809, the BUILTINUsers group is given RX permissions to the following files:

c:WindowsSystem32configsam
c:WindowsSystem32configsystem
c:WindowsSystem32configsecurity

If a VSS shadow copy of the system drive is available, a non-privileged user may leverage access to these files to achieve a number of impacts, including but not limited to:

  • Extract and leverage account password hashes.
  • Discover the original Windows installation password.
  • Obtain DPAPI computer keys, which can be used to decrypt all computer private keys.
  • Obtain a computer machine account, which can be used in a silver ticket attack.

Note that VSS shadow copies may not be available in some configurations, however simply having a system drive that is larger that 128GB in size and then performing a Windows Update or installing an MSI will ensure that a VSS shadow copy will be automatically created. To check if a system has VSS shadow copies available, run the following command from a privileged command prompt:

vssadmin list shadows

A system with VSS shadow copies will report details of at least one shadow copy that specifies Original Volume: (C:), such as the following:

vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.

Contents of shadow copy set ID: {d9e0503a-bafa-4255-bfc5-b781cb27737e}
   Contained 1 shadow copies at creation time: 7/19/2021 10:29:49 PM
      Shadow Copy ID: {b7f4115b-4242-4e13-84c0-869524965718}
         Original Volume: (C:)\?Volume{4c1bc45e-359f-4517-88e4-e985330f72e9}
         Shadow Copy Volume: \?GLOBALROOTDeviceHarddiskVolumeShadowCopy1
         Originating Machine: DESKTOP-PAPIHMA
         Service Machine: DESKTOP-PAPIHMA
         Provider: 'Microsoft Software Shadow Copy provider 1.0'
         Type: ClientAccessibleWriters
         Attributes: Persistent, Client-accessible, No auto release, Differential, Auto recovered

A system without VSS shadow copies will produce output like the following:

vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.

No items found that satisfy the query.

To check if a system is vulnerable, the following command can be used from a non-privileged account:
icacls %windir%system32configsam

A vulnerable system will report BUILTINUsers:(I)(RX) in the output like this:


C:Windowssystem32configsam BUILTINAdministrators:(I)(F)
                               NT AUTHORITYSYSTEM:(I)(F)
                               BUILTINUsers:(I)(RX)
                               APPLICATION PACKAGE AUTHORITYALL APPLICATION PACKAGES:(I)(RX)
                               APPLICATION PACKAGE AUTHORITYALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

Successfully processed 1 files; Failed processing 0 files

A system that is not vulnerable will report output like this:

C:Windowssystem32configsam: Access is denied.
Successfully processed 0 files; Failed processing 1 files

Impact

By accessing a Windows 10 system’s sam, system, and security files on a vulnerable system with at least one VSS shadow copy of the system drive, a local authenticated attacker may be able to achieve LPE, masquerade as other users, or achieve other security-related impacts.

Solution

The CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workaround:

Restrict access to sam, system, and security files and remove VSS shadow copies

Vulnerable systems can remove the Users ACL to read these sensitive files by executing the following commands:

icacls %windir%system32configsam /remove "Users"
icacls %windir%system32configsecurity /remove "Users"
icacls %windir%system32configsystem /remove "Users"

Once the ACLs have been corrected for these files, any VSS shadow copies of the system drive must be deleted to protect a system against exploitation. This can be accomplished with the following command, assuming that your system drive is c::

vssadmin delete shadows /for=c: /Quiet

Confirm that VSS shadow copies were deleted by running vssadmin list shadows again. Note that any capabilities relying on existing shadow copies, such as System Restore, will not function as expected. Newly-created shadow copies, which will contain the proper ACLs, will function as expected.

Acknowledgements

This vulnerability was publicly disclosed by Jonas Lyk, with additional details provided by Benjamin Delpy.

This document was written by Will Dormann.

Source: CERT.ORG