All versions of Windows 10 released in the last 2.5 years (as well as Windows 11) are vulnerable to an issue dubbed SeriousSAM and HiveNightmare. Thanks to this bug, an attacker can elevate his privileges and gain access to passwords from user accounts.

The vulnerability relates to how Windows 10 controls access to files such as SAM, SECURITY, and SYSTEM:

• C:\Windows\System32\config\sam
• C:\Windows\System32\config\security
• C:\Windows\System32\config\system

Let me remind you that these files store information such as hashed passwords for all Windows user accounts, security-related settings, encryption key data, and other important information about the OS kernel configuration. If a potential attacker can read the files, the information obtained will help him to gain access to user passwords and critical system settings.

Normally, only a Windows administrator can interact with these files. However, while testing Windows 11, the expert noticed that although the OS restricts access to these files for low-level users, the available copies of the files are saved in shadow copies. Moreover, as it turned out, this problem appeared in the Windows 10 code back in 2018, after the release of version 1809.

Gaining access to the Security Account Manager (SAM) configuration file is always a huge challenge as it can steal hashed passwords, crack those hashes, and hijack accounts. Even worse, SYSTEM and SECURITY can also contain similar other, equally dangerous data, including DPAPI encryption keys and Machine Account details (used to join computers to Active Directory). Below you can see a demonstration of such an attack, recorded by the creator of Mimikatz, Benjamin Delpy.

Microsoft has already acknowledged the problem and assigned it an ID CVE-2021-36934.

So far, Microsoft is only investigating the issue and is working on a patch that will most likely be released as an emergency security update later this week. So far, the company only recommends restricting access to the problem folder, as well as deleting shadow copies.

It is worth noting that well-known information security expert Kevin Beaumont has already published a PoC exploit for SeriousSAM so that admins can check which of their systems are vulnerable to attacks.

Let me remind you that I also reported that Windows 10 bug causes BSOD when opening a specific path.

The post Vulnerability in Windows 10 could allow gaining administrator privileges appeared first on Gridinsoft Blog.

As a result, an emergency patch was released for the vulnerability, which was criticized by experts for its inefficiency, but Microsoft said that the fix worked as it should.

However, as Bleeping Computer now reports, the problems with Windows Print Spooler are not over. Security researcher and creator of Mimikatz Benjamin Delpy said that he found a way to abuse the usual method of installing printer drivers in Windows and gain SYSTEM privileges using malicious drivers. Moreover, this method works even if administrators have taken Microsoft-recommended mitigation measures by limiting the installation of printer drivers and disabling Point and Print.

#printnightmare – Episode 3

You know that even patched, with default config (or security enforced with #Microsoft settings), a standard user can load drivers as SYSTEM?

– Local Privilege Escalation – #feature pic.twitter.com/Zdge0okzKi

— ? Benjamin Delpy (@gentilkiwi) July 15, 2021

While the new local privilege escalation method is different from the exploit called PrintNightmare, Delpy says these are very similar bugs that should be treated altogether.

The expert explains that in the past, Microsoft has tried to prevent such attacks by dropping support for version 3 printer drivers, but this eventually caused problems, and Microsoft abandoned the idea in June 2017.

Unfortunately, this problem will most likely never be fixed because Windows must allow an administrator to install printer drivers, even if they might be malicious. In addition, Windows should allow non-administrator users to install signed drivers on their devices for ease of use. Namely, these nuances were abused by Delpy.

It is also worth mentioning that this week Microsoft shared its recommendations for fixing the new Print Spooler vulnerability, which has the identifier CVE-2021-34481. The problem is also related to privilege escalation through Print Spooler, and it was discovered by Dragos specialist Jacob Baines.

Unlike the PrintNightmare issue, this vulnerability can only be exploited locally for privilege escalation. Baines points out that CVE-2021-34481 and PrintNightmare are not related and represent different bugs.

Little is currently known about this issue, including which versions of Windows are vulnerable to it. Baines only says that the bug is somehow connected with the printer driver, and the researcher promises to tell all the details on August 7, during a speech at the DEF CON conference.

Currently, Microsoft simply recommends disabling Print Spooler on the affected machine.

The post New Issues Found with Windows Print Spooler appeared first on Gridinsoft Blog.