Benjamin Delpy Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/benjamin-delpy/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Wed, 12 Jan 2022 07:54:30 +0000 en-US hourly 1 https://wordpress.org/?v=96039 200474804 Vulnerability in Windows 10 could allow gaining administrator privileges https://gridinsoft.com/blogs/vulnerability-in-windows-10/ https://gridinsoft.com/blogs/vulnerability-in-windows-10/#respond Thu, 22 Jul 2021 16:48:28 +0000 https://blog.gridinsoft.com/?p=5732 Last weekend, the well-known cybersecurity researcher Jonas Lykkegaard reported a rather serious vulnerability in Windows 10. All versions of Windows 10 released in the last 2.5 years (as well as Windows 11) are vulnerable to an issue dubbed SeriousSAM and HiveNightmare. Thanks to this bug, an attacker can elevate his privileges and gain access to… Continue reading Vulnerability in Windows 10 could allow gaining administrator privileges

The post Vulnerability in Windows 10 could allow gaining administrator privileges appeared first on Gridinsoft Blog.

]]>
Last weekend, the well-known cybersecurity researcher Jonas Lykkegaard reported a rather serious vulnerability in Windows 10.

All versions of Windows 10 released in the last 2.5 years (as well as Windows 11) are vulnerable to an issue dubbed SeriousSAM and HiveNightmare. Thanks to this bug, an attacker can elevate his privileges and gain access to passwords from user accounts.

The vulnerability relates to how Windows 10 controls access to files such as SAM, SECURITY, and SYSTEM:

  • C:\Windows\System32\config\sam
  • C:\Windows\System32\config\security
  • C:\Windows\System32\config\system

Let me remind you that these files store information such as hashed passwords for all Windows user accounts, security-related settings, encryption key data, and other important information about the OS kernel configuration. If a potential attacker can read the files, the information obtained will help him to gain access to user passwords and critical system settings.

Normally, only a Windows administrator can interact with these files. However, while testing Windows 11, the expert noticed that although the OS restricts access to these files for low-level users, the available copies of the files are saved in shadow copies. Moreover, as it turned out, this problem appeared in the Windows 10 code back in 2018, after the release of version 1809.

Gaining access to the Security Account Manager (SAM) configuration file is always a huge challenge as it can steal hashed passwords, crack those hashes, and hijack accounts. Even worse, SYSTEM and SECURITY can also contain similar other, equally dangerous data, including DPAPI encryption keys and Machine Account details (used to join computers to Active Directory). Below you can see a demonstration of such an attack, recorded by the creator of Mimikatz, Benjamin Delpy.

Microsoft has already acknowledged the problem and assigned it an ID CVE-2021-36934.

The privilege escalation vulnerability works because of excessive permissions on Access Control Lists (ACLs) on several system files, including the Security Accounts Manager (SAM) database.

[After a successful attack] an attacker will be able to install programs, view, modify or delete data, create new accounts with full user rights. To exploit the vulnerability, an attacker must be able to execute code on the victim’s system.Microsoft representatives wrote.

So far, Microsoft is only investigating the issue and is working on a patch that will most likely be released as an emergency security update later this week. So far, the company only recommends restricting access to the problem folder, as well as deleting shadow copies.

It is worth noting that well-known information security expert Kevin Beaumont has already published a PoC exploit for SeriousSAM so that admins can check which of their systems are vulnerable to attacks.

Let me remind you that I also reported that Windows 10 bug causes BSOD when opening a specific path.

The post Vulnerability in Windows 10 could allow gaining administrator privileges appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/vulnerability-in-windows-10/feed/ 0 5732
New Issues Found with Windows Print Spooler https://gridinsoft.com/blogs/new-issues-found-with-windows-print-spooler/ https://gridinsoft.com/blogs/new-issues-found-with-windows-print-spooler/#respond Fri, 16 Jul 2021 16:45:41 +0000 https://blog.gridinsoft.com/?p=5716 Last month, cybersecurity experts inadvertently unveiled a PoC exploit for a dangerous problem related to the Windows Print Spooler service, which is a universal interface between OS, applications and local or network printers, allowing application developers to submit print jobs. As a result, an emergency patch was released for the vulnerability, which was criticized by… Continue reading New Issues Found with Windows Print Spooler

The post New Issues Found with Windows Print Spooler appeared first on Gridinsoft Blog.

]]>
Last month, cybersecurity experts inadvertently unveiled a PoC exploit for a dangerous problem related to the Windows Print Spooler service, which is a universal interface between OS, applications and local or network printers, allowing application developers to submit print jobs.

As a result, an emergency patch was released for the vulnerability, which was criticized by experts for its inefficiency, but Microsoft said that the fix worked as it should.

However, as Bleeping Computer now reports, the problems with Windows Print Spooler are not over. Security researcher and creator of Mimikatz Benjamin Delpy said that he found a way to abuse the usual method of installing printer drivers in Windows and gain SYSTEM privileges using malicious drivers. Moreover, this method works even if administrators have taken Microsoft-recommended mitigation measures by limiting the installation of printer drivers and disabling Point and Print.

While the new local privilege escalation method is different from the exploit called PrintNightmare, Delpy says these are very similar bugs that should be treated altogether.

The expert explains that in the past, Microsoft has tried to prevent such attacks by dropping support for version 3 printer drivers, but this eventually caused problems, and Microsoft abandoned the idea in June 2017.

Unfortunately, this problem will most likely never be fixed because Windows must allow an administrator to install printer drivers, even if they might be malicious. In addition, Windows should allow non-administrator users to install signed drivers on their devices for ease of use. Namely, these nuances were abused by Delpy.

It is also worth mentioning that this week Microsoft shared its recommendations for fixing the new Print Spooler vulnerability, which has the identifier CVE-2021-34481. The problem is also related to privilege escalation through Print Spooler, and it was discovered by Dragos specialist Jacob Baines.

Unlike the PrintNightmare issue, this vulnerability can only be exploited locally for privilege escalation. Baines points out that CVE-2021-34481 and PrintNightmare are not related and represent different bugs.

Little is currently known about this issue, including which versions of Windows are vulnerable to it. Baines only says that the bug is somehow connected with the printer driver, and the researcher promises to tell all the details on August 7, during a speech at the DEF CON conference.

Currently, Microsoft simply recommends disabling Print Spooler on the affected machine.

The post New Issues Found with Windows Print Spooler appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/new-issues-found-with-windows-print-spooler/feed/ 0 5716