All versions of Windows 10 released in the last 2.5 years (as well as Windows 11) are vulnerable to an issue dubbed SeriousSAM and HiveNightmare. Thanks to this bug, an attacker can elevate his privileges and gain access to passwords from user accounts.

The vulnerability relates to how Windows 10 controls access to files such as SAM, SECURITY, and SYSTEM:

• C:\Windows\System32\config\sam
• C:\Windows\System32\config\security
• C:\Windows\System32\config\system

Let me remind you that these files store information such as hashed passwords for all Windows user accounts, security-related settings, encryption key data, and other important information about the OS kernel configuration. If a potential attacker can read the files, the information obtained will help him to gain access to user passwords and critical system settings.

Normally, only a Windows administrator can interact with these files. However, while testing Windows 11, the expert noticed that although the OS restricts access to these files for low-level users, the available copies of the files are saved in shadow copies. Moreover, as it turned out, this problem appeared in the Windows 10 code back in 2018, after the release of version 1809.

Gaining access to the Security Account Manager (SAM) configuration file is always a huge challenge as it can steal hashed passwords, crack those hashes, and hijack accounts. Even worse, SYSTEM and SECURITY can also contain similar other, equally dangerous data, including DPAPI encryption keys and Machine Account details (used to join computers to Active Directory). Below you can see a demonstration of such an attack, recorded by the creator of Mimikatz, Benjamin Delpy.

Microsoft has already acknowledged the problem and assigned it an ID CVE-2021-36934.

So far, Microsoft is only investigating the issue and is working on a patch that will most likely be released as an emergency security update later this week. So far, the company only recommends restricting access to the problem folder, as well as deleting shadow copies.

It is worth noting that well-known information security expert Kevin Beaumont has already published a PoC exploit for SeriousSAM so that admins can check which of their systems are vulnerable to attacks.

Let me remind you that I also reported that Windows 10 bug causes BSOD when opening a specific path.

The post Vulnerability in Windows 10 could allow gaining administrator privileges appeared first on Gridinsoft Blog.

Last week, Twitter posted messages from a security researcher about two vulnerabilities in Windows that could be exploited by cybercriminals in different attacks.

The second bug can cause a blue screen of death when trying to open an unusual path.

Since October last year, security researcher Jonas Lykkegaard has repeatedly written about a path that immediately crashes Windows 10 and displays a blue screen of death after entering into the address bar of a browser (for example, Chrome),.

When developers want to interact with a Windows device directly, they can pass the Win32 device namespace path as an argument to various Windows software functions. This allows the application, for example, to interact directly with the physical disk, bypassing the file system.

Opening the path in various ways by a user, even with a low privilege level, can cause Windows 10 to shutdown:\\.\Globalroot\device\condrv\kernelconnect.

When connecting to a device, developers pass the extended attach attribute to correctly communicate with it.

As Lukkegaard discovered, when trying to connect to a path without passing an attribute, due to incorrect error checking is thrown an exception causing a blue screen of death. To make matters worse, low-privileged Windows users can try to connect to the device using this path, thereby allowing any program running on the computer to cause Windows 10 to crash.

Let me remind you that recently Google Project Zero discovered a 0-day vulnerability in the Windows kernel.

The post Windows 10 bug causes BSOD when opening a specific path appeared first on Gridinsoft Blog.