TL;DR
No, it’s not a new Dr. Seuss story – it’s a recently discovered zero-day exploit (CVE-2021-36934, known as HiveNightmare or SeriousSam) that allows an attacker to read the contents of a Security Account Manager (SAM) file on Windows 10 and 11 systems with non-administrator user privileges. In the Assura’s Take section, we provide two mitigation options: 1. Restrict the access to the contents of “%windir%\system32\config” and 2. Delete Volume Shadow Copy Service (VSS) shadow copies.
Note: Deleting shadow copies may impact restore operations, including the ability to restore data with third-party backup applications.
Overview
Recently, on 7/20/2021, community researchers reported a vulnerability where the SAM database on Windows 10 and 11 Systems was READ-enabled for all local users. Attackers with a foothold on a system can access the contents of the SAM file and use this information to escalate privileges and move throughout their target environment. Windows reports that the existence of this vulnerability is due to overly permissive Access Control Lists (ACLs) on multiple system files, including the SAM database.
CVE-2021-36934, aka HiveNightmare/SeriousSam, affects Windows 10 version 1809 and newer operating systems. An attacker who successfully exploits the vulnerability could potentially run arbitrary code with SYSTEM privileges. With SYSTEM privileges, an attacker can install programs; view, change or delete data; and even create a new account with full user rights. An attacker must have the ability to execute code on a victim system to exploit this vulnerability.
What do we know about this attack?
On 7/19/2021, a Twitter user named “Jonas L” reported that a Windows 11 SAM file is READ-enabled for users. Jonas said that this issue exists if Shadow Volumes is enabled, which it is by default in most instances. This would become CVE-2021-36934.
Kevin Beaumont, @Grossithedog, created a proof-of-concept exploit for this vulnerability and provides a great writeup of the exploit here: https://doublepulsar.com/hivenightmare-aka-serioussam-anybody-can-read-the-registry-in-windows-10-7a871c465fa5
Kevin’s exploit can be found here: https://github.com/GossiTheDog/HiveNightmare
The vulnerability is due to BUILTIN\Users having read access to c:\Windows\System32\config\SAM. This shouldn’t be the case, and it causes a security issue because the SAM is a sensitive registry hive, and BUILTIN\Users includes non-administrators. The folder also contains other sensitive registry hives including, SYSTEM, SECURITY, etc., which BUILTIN\Users can access.
The prerequisites for this exploit to work include having “System Protection Enabled,” and at least one Shadow copy or system restore point saved. There are certain files that need to be accessed to pull out the NTLM hashes that can’t be accessed because the system is running. Kevin designed the exploit to work around this by looking through the backups that have already been taken of those files. He used CreateFile to access the device path to the VSC snapshot.
YouTube channel “Infinite Logins” put together a video of this exploit in action. View it here: https://www.youtube.com/watch?v=5zdIq6t3DOw&t=5s
When the HiveNightmare.exe file is run, it will create a copy of the SAM, SECURITY and SYSTEM files in the working folder, which is accessible to a non-admin user who is logged in.
Once the attacker has the SAM, SECURITY, and SYSTEM files, they can open them in a Kali for extraction. The NTLM hashes can be extracted by opening a terminal and using the following command:
python3 secretsdump.py -sam SAM-haxx -system SYSTEM-haxx -security SECURITY-haxx LOCAL
With the gathered SAM hashes, the attacker can now attempt to crack them using tools such as Hashcat or can use pass-the-hash techniques to elevate to SYSTEM.
Assura’s Take
As of now, there are no patches available for this vulnerability. However, Windows has created workarounds for the time being. The recommendations from Windows are as follows:
Restrict access to the contents of %windir%\system32\config
Command Prompt (Run as administrator): icacls %windir%\system32\config\*.* /inheritance:e
Windows PowerShell (Run as administrator): icacls $env:windir\system32\config\*.* /inheritance:e
Delete Volume Shadow Copy Service (VSS) shadow copies
- Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config.
- Create a new System Restore point (if desired).
Impact of workaround
Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications. For more information on how to delete shadow copies, see KB5005357- Delete Volume Shadow Copies.
Note: You must restrict access and delete shadow copies to prevent exploitation of this vulnerability.
It’s important to weigh the risk versus reward for your particular environment, because system restore may be a critical component of your backup procedures.
References:
CVE-2021-36934 – Security Update Guide – Microsoft – Windows Elevation of Privilege Vulnerabilityhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934
Microsoft SAM File Readability CVE-2021-36934: What You Need to Know | Rapid7 Blog https://www.rapid7.com/blog/post/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/
#HiveNightmare aka #SeriousSAM — anybody can read the registry in Windows 10 | by Kevin Beaumont | Jul, 2021 | DoublePulsar https://doublepulsar.com/hivenightmare-aka-serioussam-anybody-can-read-the-registry-in-windows-10-7a871c465fa5
Abusing HiveNightmare (SeriousSam) LPE – Escalating to SYSTEM | CVE-2021-36934 – YouTube https://www.youtube.com/watch?v=5zdIq6t3DOw&t=5s