#HiveNightmare aka #SeriousSAM — anybody can read the registry in Windows 10
source link: https://doublepulsar.com/hivenightmare-aka-serioussam-anybody-can-read-the-registry-in-windows-10-7a871c465fa5
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
#HiveNightmare aka #SeriousSAM — anybody can read the registry in Windows 10
This is the story of how all non-admin users can read the registry — and so elevate privileges and access sensitive credential information — on various flavours of Windows 10. It appears this vulnerability has existed for years, and nobody noticed. In this post I made an exploit to test it.
Press F to pay respects to MSRC (it’s not their fault)Recently, Jonas tweeted something interesting. What Jonas didn’t realise at the time is Windows 10 also has the same behavior when System Protection aka Shadow Volumes is enabled, which should be the default in a majority of cases.
This is caused by BUILTIN\Users having read access to c:\Windows\System32\config\SAM.
It shouldn’t. That breaks a security barrier, as the SAM is a sensitive registry hive, and BUILTIN\Users include non-administrators.
That folder also has other sensitive registry hives — for example SYSTEM, SECURITY etc — which BUILTIN\Users can access.
This has since become CVE-2021–36934.
Creating an exploit
Normally you cannot access the SAM (or other registry hive files) as they’re in use. To get around this, I used CreateFile to access the device path to the VSC snapshot — used in recovery situations — in a slightly hacky way:
hFile = CreateFile(TEXT(“\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\System32\\config\\SAM”),GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
The exploit is here:
Direct link to compiled binary: https://github.com/GossiTheDog/HiveNightmare/raw/master/Release/HiveNightmare.exe
When run, it creates a copy of SAM, SECURITY and SYSTEM files in the working folder, accessible to the logged in, non-admin user.
Here’s a video of how to use my exploit to reach remote code execution as SYSTEM on endpoints:
Mitigations
Microsoft have provided mitigations in their security guide: Security Update Guide — Loading — Microsoft
And an article on removing VSC: KB5005357- Delete Volume Shadow Copies (microsoft.com)
Here is a PowerShell script, which can be deployed via SCCM, to fix the ACL and remove the VSC:
HiveNightmare/Mitigation.ps1 at master · GossiTheDog/HiveNightmare (github.com)
Here is a blog on how to deploy our mitigation in Microsoft Endpoint Manager:
Detection
Your EDR tools should have logic to look for SAM files being accessed, it it worth asking your EDR vendors for confirmation and detection names.
In the mean time, here are some custom detections:
Microsoft Defender for Endpoint
Mcafee EDR block rule
ThreatHunting/CVE-2021–36934-HiveNightmare-Mcafee at master · GossiTheDog/ThreatHunting (github.com)
Azure Sentinel
Impacted platforms
All Windows 10 releases through the last 3 years. US-CERT pen the issue as starting in 2018. Microsoft’s MSRC advisory says all Windows 10 versions since 1809.
One thing of note, when you do certain actions it creates a system recovery point (for example, installing 7-zip did on my gaming PC) which appears to play a factor.
Patching
There’s no patches, it’s a zero day.
Don’t panic
As with all things security, don’t panic. It’s just another vulnerability. There’s also still an outstanding an unpatched Print Spooler zero day.
… and have you finished July’s patching? Really?
My take — ask your EDR vendors for detection, chill, and keep up the fight.
Also, yes, Microsoft really need to look at resourcing on MSRC and Windows OS engineering. Microsoft can’t boast about being a $10bn security company while watching their own products burn down. I mean, they can — but they shouldn’t.
Updates
20/07/2021 —
US CERT have issued a Vulnerability Note:
21/07/2021
Microsoft have issued a CVE, CVE-2021–36934, and a workaround:
22/07/2021
Added customer detections and mitigation script.
Recommend
-
20
Anybody who writes #pragma pack(1) may as well just wear a sign on their forehead that says “I hate RISC” Raymon...
-
15
Jan 23, 2020 Tags:programming, rant What this post is A gentle admonishment to ...
-
12
Can Anybody Recommend a Great VPN? (Preferably Free?) HappyDude20
-
4
It’s Time to Upgrade My Home Computer: Anybody Have Any Good Recommendations on What to Buy for the Best VR Experience? I’ve got my eye on this little number by Acer, which is currently in stock, although I’m wondering if I should upgra...
-
13
Threat Update 49 – SeriousSAM & Black Hat 2021 Incident Response,
-
15
How Blush Lets Anybody Become an Illustrator By Jack Ryan Published 23 hours ago Want to create a design, but don't have the skills...
-
4
How to sneak the Windows 95 credits screen into the build without anybody noticing Raymond August 24th, 2021 The hidden...
-
9
jovial3's blog
-
3
Cryptocurrencies...
-
9
Anybody using AirMail ? M
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK