Jump to content

Microsoft Windows 10 gives unprivileged user access to SAM, SYSTEM, and SECURITY files


itman

Recommended Posts

 

Quote

 

Vulnerability Note VU#506989

Original Release Date: 2021-07-20 | Last Revised: 2021-07-20

Overview

Starting with Windows 10 build 1809, non-administrative users are granted access to SAM, SYSTEM, and SECURITY registry hive files. This can allow for local privilege escalation (LPE).

Description

Starting with Windows 10 build 1809, the BUILTIN\Users group is given RX permissions to the following files:

c:\Windows\System32\config\sam
c:\Windows\System32\config\system
c:\Windows\System32\config\security

If a VSS shadow copy of the system drive is available, a non-privileged user may leverage access to these files to achieve a number of impacts, including but not limited to:

  • Extract and leverage account password hashes.
  • Discover the original Windows installation password.
  • Obtain DPAPI computer keys, which can be used to decrypt all computer private keys.
  • Obtain a computer machine account, which can be used in a silver ticket attack.

 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...