Microsoft has disclosed a procedure to circumvent one elevation of privilege flaw affecting all versions of Windows 10. This is an issue that could allow an attacker to access data and create new accounts. The flaw was disclosed this week by the same Redmond company and identified with the code CVE-2021-36934 and it can allow an attacker to execute your code with system privileges. This is an important vulnerability, although you must have already found a way to execute code on your system in order to exploit it.
The issue specifically affects the Security Accounts Manager database in all versions of Windows 10 since 1809. This is a key component of Windows 10, since the location where user accounts, credentials and information are stored on the domain. Credentials are hashed in SAM, but the flaw allows attackers to hashed them and try to hack them. Since the details of the vulnerability are publicly available, it is advisable to act promptly with appropriate countermeasures.
The vulnerability was identified by researcher Jonas Lyk, who nicely baptized it “SeriousSAM“. The discovery was fortuitous: while Lyk was working on some tests on the next version of Windows 11 he discovered that while the operating system limited access, for all users with limited privileges, to those fail containing sensitive elements, the copies of these files were saved in backups created by the Shadow Volume Copy feature, which creates snapshots of computer files during file system operations.The flaw also extends to the System and Security folders.
Microsoft explains: “An elevation of privilege vulnerability exists due to overly permissive access control lists (ACLs) on multiple system files, including the Security Accounts Manager database.” In practice, simplifying, all authenticated users have the possibility to extract the credentials stored in the cache, and then try to violate them or exploit a pass-the-hash procedure depending on the context.
The United States CERT also indicates other unpleasant consequences that can derive from the exploitation of the vulnerability, including the possibility of obtaining the DPAPI keys that allow to decrypt all the private keys of the system.
As for the workarounds, Microsoft recommends limiting access to% windir% system32 config while deleting the copies made by the Volume Shadow Copy service.