[German]It seems that Windows 10 feature updates from version 1809 up to the current version 21H1 change the access rights to the SAM database so that non-administrative users can access it. The cause could be the volume shadow copies (Shadow Copy), which are enabled by default. Here's some initial information – I'm still sorting through it a bit at the moment.
Advertising
I just became aware of the following tweet from security researcher Kevin Beaumont, who posted a discovery by Mimikatz developer Benjamin Delpy. Benjamin Delpy has been mentioned more often here on the blog the last few weeks, as he has repeatedly pointed out new attack vectors in the PrintNightmare print spooler service.
Benjamin Delpy cautiously hints that it looks like there is a serious security problem when upgrading from Windows 10 to another Windows 10 version. You should check if shadow copies are enabled for system protection (but this is enabled by default). Kevin Beaumont then puts this into context: it looks like Windows 10's SAM database, where user passwords are also stored, is accessible to non-administrators.
Right now, people are testing up and down. The following tweets summarize the whole thing pretty compactly.
Advertising
Jeff McJunkin tested it with Will Dormann. Starting with Windows 10 version 1809, the ACLs of the SAM database are set to allow any user to access it after an upgrade. German blog reader 1ST1 then linked to the above tweet in this comment. Kevin Beaumont confirms that the Access Control Lists (ACLs) for the SAM database are set incorrectly on Windows 10. Any standard user can probably access this SAM database. 1ST1 writes about this:
The next big pile-on?
https://twitter.com/GossiTheDog/status/1417259606384971776
C:\Windows\System32>icacls c:\windows\system32\config\SAM
c:\windows\system32\config\SAM VORDEFINIERT\Administratoren:(I)(F)
NT-AUTORITÄT\SYSTEM:(I)(F)
VORDEFINIERT\Benutzer:(I)(RX)
ZERTIFIZIERUNGSSTELLE FÜR ANWENDUNGSPAKETE\ALLE ANWENDUNGSPAKETE:(I)(RX)
ZERTIFIZIERUNGSSTELLE FÜR ANWENDUNGSPAKETE\ALLE EINGESCHRÄNKTEN ANWENDUNGSPAKETE:(I)(RX)No user should actually be able to access it. SECURITY also has incorrect permissions. Traceable apparently since 1809 to 21h1.
I once ran icacls on a Windows 10 21H1 test system, and got the same values displayed in the command prompt window of a standard user.
Unless I am completely misinterpreting it, the SAM has read and execute access for normal users through the RX flag. That is, any user can read the SAM database with user passwords. The security bug has lain dormant in Windows 10 for years and no one has noticed. Beaumont was also able to track the problem on his Windows 10 21H1 and confirms that the SECURITY folder also has incorrect permissions.
Surely administrators are now wondering if they should quickly adjust the ACLs so that standard users no longer have access. At this point, I'm going to drop in a note from Beaumont, who writes:
By the way, I wouldn't panic, it is what it is. Applying workarounds to change ACLs yourself can break things, and it's very likely that it's been that way for years anyway. Eventually, MS will patch this.
And he concludes by saying that good EDR tools should show SAM dump warnings. In addition, Microsoft encrypts the SAM entries (see). To what extent this can be circumvented, I am not able to judge.
But I wonder at this point: what is wrong with Microsoft's developers. Marketing never tires of emphasizing that Windows 10 is the most secure Windows ever and praises its Windows as a service approach that lets you slip from one disaster to the next. Up front, the front door is glossed over, and on the back end, barn door-sized security holes are gaping. If it needed another example that the WaaS has simply failed, this would be it. Or how do you see it?
Addendum: Kevin Beaumont has created this HiveNightmare exploit on GitHub as he outlined in this tweet.
