SeriousSam | HiveNightmare — CVE-2021–36934
About a week ago , A zero day has been discovered which allows low privileged users to get SYSTEM rights or privilege escalation on Windows 10 and 11. This is made possible because of “shadow copy” being enabled and Access Control List misconfiguration which allows the user to read and execute sensitive files in C:\Windows\System32\config\. Volume Snapshot Service or Volume Shadow Copy Service also known as Shadow Copy was introduced in Windows Server 2003 for the purpose of creating backups and snapshots of volumes and files even when they are in use.
What versions of Windows are vulnerable?
- All Windows 10 from Version 1809 and Newer except Version 20H2 (I tested this out personally, even after giving RX permissions to /BUILTIN/Users, hivenightmare.exe and mimikatz failed because of access violation error )
- Windows 11
How does the attack work?
The low privileged user has read and execute permissions on the SAM, SYSTEM, SECURITY files located in C:\Windows\System32\config\. Also there has to be snapshots of VSS present locally, then copies of the sam, security and system files can be made with exploits and the hashes of admin and other users can be extracted to be used for EoP and pivoting on a network.
To see if the windows version is susceptible to the attack, we have to do two things.
- Check permissions on the sam file using icacls as a low privilege user.
icacls C:\Windows\System32\config\sam
We can see the BUILTIN\Users:(I)(RX), this means that anyone in the user group can view and execute the sam file.
- Checking that shadow copies is enabled and active, Settings > About > System Protection.
Or running the command below with admin privileges,
vssadmin list shadowsGoing over to github, we can get an exploit that can do this — https://github.com/GossiTheDog/HiveNightmare/raw/master/Release/HiveNightmare.exe
Now logging in as a low privileged user and carrying out the attack.
The files are saved in the current working directory. To extract the hashes itself run,
python3 secretsdump.py -sam SAM-haxx -system SYSTEM-haxx -security SECURITY-haxx LOCALMimikatz has an updated module that can also carry out this attack.
These can hashes can be used for privilege escalation or lateral movement on a network.
Mitigation
As opposed to recommendations from microsoft to delete shadow copies, I sincerely do not think that’s the best of ideas because it defeats the purpose of backups & recovery.
Change the ACL permissions on the C:\Windows\System32\config\ path for Users group as admin so that low privileged users can not access that files in that path in anyway.
Confirming that the ACL for the path is fixed now and User group no longer has access to the sam file.
That said although I did not delete the shadow copies, the ACL is broken and there can no longer be Local Privilege Escalation.
Resources and Interesting finds
- https://twitter.com/jonasLyk/status/1417205166172950531
- https://github.com/GossiTheDog/HiveNightmare
- https://doublepulsar.com/hivenightmare-aka-serioussam-anybody-can-read-the-registry-in-windows-10-7a871c465fa5
- https://www.youtube.com/watch?v=XtE_a0fjjMw
- https://www.youtube.com/watch?v=fQPeUfvK_4E
- https://www.kb.cert.org/vuls/id/506989
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934
