Serious Sam
In the age where bug-bounties has become an enormous and necessary cash-cow, this is a reminder that sometimes the KISS (keep it simple stupid) principle still applies to the vulnerability research field. A well-known researcher discovered a ten-year-old vulnerability in Windows 10 which allowed credentials to be dumped from Windows 10 devices with the latest updates.In the age where bug-bounties has become an enormous and necessary cash-cow, this is a reminder that sometimes the KISS (keep it simple stupid) principle still applies to the vulnerability research field. A well-known researcher discovered a ten-year-old vulnerability in Windows 10 which allowed credentials to be dumped from Windows 10 devices with the latest updates.
The Scoop
Benjamin Delphy, the creator of Mimikatz was poking around the new Windows 11 when he found something interesting. The SAM database had ‘builtin’ users assigned to the access control list. In plain English, any standard user would be able to read the database.
SAM stands for security account manager. Stores hashed credentials, that kind of thing. You can find it lurking in the %SystemRoot%/system32/config/SAM directory. Can’t access it? Good! you need to be an administrator. Try running icacls c:\windows\system32\config\SAM in a command prompt.
Icacls is a command line utility for modifying permissions and can be used to check permissions on a file. If you run the command, you will probably find what I did, that your SAM database is indeed readable and executable by a builtin user account. At this point you reach for a drink. Not during work hours of course. During work hours you reach for that alcohol free vodka.
Benjamin assumed the flaw was a Windows 11 pre-release issue, till he looked at other Windows 10 devices and found the same problem. Not only did he find the flaw on the SAM access control list, but he also found it on the SECURITY and SYSTEM files. He also looked back to other versions of windows 10 and speculated this vulnerability may have been years old.
Benjamin assumed the flaw was a Windows 11 pre-release issue, till he looked at other Windows 10 devices and found the same problem. Not only did he find the flaw on the SAM access control list, but he also found it on the SECURITY and SYSTEM files. He also looked back to other versions of windows 10 and speculated this vulnerability may have been years old.
Benjamin made a shout out, and several savvy security researchers immediately released exploits. These exploits would essentially read/execute the SAM, SECURITY and SYSTEM files and write out the contents to files that you could then break open with other tools.
Do try this at home
Want to try out the exploit? First create a windows virtual machine. Never run exploits on your own device as researchers may pack code in that sends information back to their servers. Sometimes they may even incorporate a reverse shell into the file that will allow them to control your device. Not all of them have bad intentions, they want to discover which threat actors are using their tools.Remember: You’re only paranoid if you are wrong. When all necessary prophylactics are in place, surf to:
https://github.com/GossiTheDog/HiveNightmare/raw/master/Release/HiveNightmare.exe and execute the file as a standard user. Remember to right click and properties and unblock before you run it. Windows dislikes executables. This bypassed windows defender but don’t be surprised if it gets blocked when you try.https://github.com/GossiTheDog/HiveNightmare/raw/master/Release/HiveNightmare.exe and execute the file as a standard user.
Remember to right click and properties and unblock before you run it. Windows dislikes executables. This bypassed windows defender but don’t be surprised if it gets blocked when you try.
As Benjamin is fond of saying, "Voila"
You should be presented with 3 files that you can read, move and process at your leisure.
Want to pull out the credentials? Easy enough, fire up impackets secrets dump and execute this simple command:
python3 secretsdump.py -sam SAM-haxx -system SYSTEM-haxx -security SECURITY-haxx LOCAL
Want to know more about impacket? Google is your friend. Suffice to say impacket has a dozen or more core security tools used by threat actors and security teams.
The fix is in
So how do we fix this? You can’t. It’s a zero day, meaning there isn’t a fix at the time of writing. The good news is that there is a workaround. The workaround is this: Break your volume shadow copies.
You can execute the following commands:
vssadmin delete shadows /all
icacls %windir%\system32\config\*.* /inheritance:e
You will note the permissions get changed on:
processed file: C:\Windows\system32\config\Journal
processed file: C:\Windows\system32\config\RegBack
processed file: C:\Windows\system32\config\SAM
processed file: C:\Windows\system32\config\SAM.LOG1
processed file: C:\Windows\system32\config\SAM.LOG2
processed file: C:\Windows\system32\config\SECURITY
processed file: C:\Windows\system32\config\SECURITY.LOG1
processed file: C:\Windows\system32\config\SECURITY.LOG2
processed file: C:\Windows\system32\config\SOFTWARE
processed file: C:\Windows\system32\config\SOFTWARE.LOG1
processed file: C:\Windows\system32\config\SOFTWARE.LOG2
processed file: C:\Windows\system32\config\SYSTEM
processed file: C:\Windows\system32\config\SYSTEM.LOG1
processed file: C:\Windows\system32\config\SYSTEM.LOG2
When you try to execute the exploit again the read access has been blocked.
Is there anybody out there?
Microsoft created a CVE for this vulnerability recently and its likely that heads are spinning at their head office. You can follow the progress on resolving the vulnerability at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934. We should note the vulnerability also affects Server 2019.
Detection Opportunities?
A tricky one to detect due to the potential for false positives. We are currently pushing out correlation rules to detect read access to the SAM database, but it has a prerequisite for SAM auditing to be enabled in group policy and this is generally not enabled due to the high volume of alerts. We are monitoring the CVE and testing detection rules.
Just before you rush off to delete your volume shadow copies, remember that the credentials are in hash format. The means that they have a layer of protection to stop people stealing them directly from the database.
The attacker must still run those hashes through their decryption/cracking framework. It takes under 5 minutes to crack a weak 8 digit password.
So long as you didn’t use an 8 digit password.. a really weak 8 digit password… like your company name.. you should be fine.
You’re fine right? You didn’t use P@ssw0rd as your password, or Summer2021 or anything like that. Right?
- Hits: 1113