Microsoft warns of Windows 10 leak that gives attacker SYSTEM rights

Microsoft warns of Windows 10 leak that gives attacker SYSTEM rights

Microsoft warns of a new vulnerability in Windows 10 that could allow an attacker who already has access to a computer to gain SYSTEM privileges and completely take over the system. The problem is caused by standard users from Windows 10 build 1809 having access to SAM, SYSTEM and SECURITY files. This allows "local privilege escalation" (LPE) and allows an attacker to increase his privileges.

The problem is that the aforementioned files provide access to all kinds of confidential data, such as hashed passwords. By default, they are not accessible to non-administrators. However, when a VSS shadow copy of the system disk is available, a standard user can still access the aforementioned files, when they really shouldn't be able to.

For example, it is possible to retrieve password hashes of accounts, to find the Windows installation password and to obtain DPAPI keys with which all private keys used on the computer can be decrypted. Furthermore, control over a machine account can be gained that can be used for a so-called " silver ticket " attack, the CERT Coordination Center ( CERT/CC ) of Carnegie Mellon University warns.

The vulnerability is referred to as CVE-2021-36934 but is also known as HiveNightmare and SeriousSAM. According to the CERT/CC, there is not yet a "practical solution" to the problem. As a temporary workaround, it is recommended to restrict access to SAM, SYSTEM, and SECURITY files and remove System Restore points and shadow volumes. Deleting shadow copies can affect system recovery, Microsoft says.

Previous Post Next Post