SeriousSAM aka HiveNightmare vulnerability — Local Privilege Escalation on Windows 10
Microsoft confirmed a new vulnerability that allows any non-admin user to access local user passwords on Windows 10. This vulnerability got exposed on the heels of the PrintNightmare vulnerability reported a few days ago. While the world grapples with how one could protect or mitigate the risks of this vulnerability, one must wonder if it’s even fair to expect convenience and advancement (in software) without vulnerabilities (software). After all, humans write the code, and they make mistakes.
This blog discusses the vulnerability, looks at the associated risks, understands what kind of security controls could detect/prevent when attackers leverage it and end with a description of an innovative approach to protect Windows 10 users.
What is the SeriousSAM vulnerability?
The vulnerability got exposed when Jonas Lyk tweeted about non-admin users on Windows 11 Preview builds accessing the SAM file when shadow volumes are enabled. Soon after that, several other researchers confirmed that the vulnerability also impacts Windows 10 versions starting with build 1809. The security researcher fraternity soon named the bug SeriousSAM and HiveNightmare. The security researcher community put together a couple of POC exploits for others to validate and verify, followed shortly after by a CERT announcement and official acknowledgment from Microsoft.
The bug opens access to VSS shadow copies of on-disk registry hives for SAM, SECURITY, and SYSTEM to any user belonging to the “BUILTIN\Users” group. Typically, these files are protected, and only users with admin privileges can access them. The following three files exposed due to this bug are important from a security perspective.
C:\Windows\System32\config\SAM
C:\Windows\System32\config\system
C:\Windows\System32\config\securityWhat can an attacker do with this vulnerability?
Once an attacker establishes a foothold on a system, they could easily achieve the following using this vulnerability:
- Escalate privileges to Local admin
- Discover Windows Default Installation Password
- Obtain DPAPI computer keys which can help decrypt all other private keys within the computer
- Obtain a Silver Ticket (could be a stepping stone to Domain Admin)
How can one protect or mitigate this vulnerability?
The security community has offered several methods to address the vulnerability, ranging from changing ACL permissions for the files to creating rules in Endpoint products preventing access to the impacted files. However, one should think about how an Active Defense approach could protect against such attacks. The Attivo EDN solution offers capabilities that protect against access to critical information within the system. This information could be critical files (such as shadow copies of registry hives) or credential stores. Such a capability helps lock down access to all critical information. This specific vulnerability is covered by EDN suite out-of-the-box.
Here is how a run of Kevin Beaumont’s POC exploit looks on a vulnerable Windows 10 endpoint without the Attivo EDN solution:
And here is how it looks on the same system after installing the Attivo EDN solution:
Meanwhile, the Attivo ThreatDefend platform captures the attempt and its prevention in the console as below:
Conclusion
An Active Defense approach to protecting against such attacks would be to adopt zero trust model and control access within the system. A world without vulnerabilities might not be possible but an approach that assumes breach and locks down access to resources (devices, files, registry, credential stores, password vaults, …) based on policies could go a long way in future proofing against attacks.
