CVE-2021-36934 Windows Elevation of Privilege Vulnerability
Vulnerability description
On July 20, Microsoft confirmed a new local privilege escalation vulnerability, known by security researchers as HiveNightmare or SeriousSAM, which allows low-privileged users to access Windows system files. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs, view changes, delete data, or create new accounts with full user rights An authenticated attacker could exploit this vulnerability to run arbitrary code with SYSTEM privileges on the target device
A local privilege escalation vulnerability exists due to over-permissioned access control lists in multiple system files, including the Security Accounts Manager database SAM, Microsoft issued a document
Through this vulnerability, an attacker can obtain the permissions of files in the %windir%\system32\config directory. In general, registry files such as SAM files are always run by the operating system, so when a user tries to access these files, an access violation will be displayed because the file is opened and locked by another program
However, since registry files (including SAM) are usually backed up by Windows Shadow Copies, this means that attackers can access these files through Shadow Copies without violating access regulations
The net result of this is that if a VSS shadow copy of the system drive is available, a low-privileged user can exploit this vulnerability to access the registry file to:
- Extract and exploit account passwords
- Discover the original Windows installation password
- Get the DPAPI computer key, which can be used to decrypt all computer private keys
- Obtain computer accounts, which can be used in silver ticket attacks
At present, POC and EXP have been made public, and the public POC can be used to read SAM and other files with low-privileged accounts
Environment build
Target machine system download address link
ed2k://|file|cn_windows_10_business_editions_version_1809_updated_sept_2019_x64_dvd_f873d037.iso|5444462592|BF3C1964141BCF6ACD40EC6AAF2A0940|/
Open the process of installing Vmware to install a Windows virtual machine, please Baidu
If your system is in this range and you want to know if your system is vulnerable, you can use the following command from a low-privilege command prompt:
icacls c:\windows\system32\config\sam
If the output Access is denied or access is denied, it means that it is not vulnerable
If you see the output: BUILTIN\USERS:(I)(RX), there is a vulnerability in your system (RX stands for [READ/EXecute authority)
Vulnerability impact
- Windows 10 Version 20H2 for ARM64-based Systems
- Windows 10 Version 20H2 for 32-bit Systems
- Windows 10 Version 20H2 for x64-based Systems
- Windows 10 Version 2004 for x64-based Systems
- Windows 10 Version 2004 for ARM64-based Systems
- Windows 10 Version 2004 for 32-bit Systems
- Windows 10 Version 21H1 for 32-bit Systems
- Windows 10 Version 21H1 for ARM64-based Systems
- Windows 10 Version 21H1 for x64-based Systems
- Windows 10 Version 1909 for ARM64-based Systems
- Windows 10 Version 1909 for x64-based Systems
- Windows 10 Version 1909 for 32-bit Systems
- Windows 10 Version 1809 for ARM64-based Systems
- Windows 10 Version 1809 for x64-based Systems
Vulnerability recurrence
EXP download address: https://github.com/GossiTheDog/HiveNightmare
The author has compiled the exploit script download address:https://github.com/GossiTheDog/HiveNightmare/releases/tag/0.6
Directly copy the HiveNightmare.exe compiled by the author to the target system for execution
Note : Exporting SAM in a virtual machine may report the following error
This is because the system protection in the virtual machine may not be turned on, and the system restore point will not be automatically created. Here, you need to manually enable the system protection and create a system restore point. Right-click on this computer -> properties -> system protection -> Configure -> Enable System Protection
Then click "Create" to set a restore point
then use
vssadmin list shadows
Command view will have a volume shadow
At this time, use HiveNightmare.exe to export SAM again, and you can see that the export is successful
Next, we can use secretsdump.py in the impacket package in kali to export the hash values of all accounts on the target machine
We first enter the path of impacket
cd /usr/share/doc/python3-impacket/examples
Then copy the three files in the target host to the same directory in impacket, as shown in the figure:
Then execute the following command to export the hash value
python3 secretsdump.py -sam SAM-2023-07-12 -system SYSTEM-2023-07-12 -security SECURITY-2023-07-12 LOCAL
Bug fixes
We recommend installing this security update as soon as possible. If you have to delay installing this security update, we recommend the following workarounds:
Restrict access to the contents of %windir%\system32\config
Command Prompt (run as administrator): icacls %windir%\system32\config*.* /inheritance:e
Windows PowerShell (run as administrator): icacls $env:windir\system32\config*.* /inheritance:e
Delete Volume Shadow Copy Service (VSS) shadow copies
Delete any system restore points and shadow volumes that existed before the %windir%\system32\config access restriction.
Create a new system restore point (if needed)
WARNING : Restoring your system from backup may also restore overly permissive ACLs at the same time, returning your system to a vulnerable state. After restoring a backup, you must verify that the ACLs are correct to ensure that the restore operation does not reintroduce this vulnerability