New Windows permissions vulnerability allows an attacker to gain access to user passwords...

nanoguy

Posts: 917   +12
Staff member
A hot potato: Just as Microsoft is battling five different security flaws affecting the Windows print spooler, security researchers found the company's next nightmare -- a permissions flaw dubbed HiveNightmare a.k.a SeriousSAM. The new vulnerability is less easily exploited, but a motivated attacker can use it to get the maximum level of access privileges possible in Windows and steal data and passwords.

On Monday, security researcher Jonas Lykkegaard revealed on Twitter that he may have found a serious vulnerability on Windows 11. At first, he thought he was looking at a software regression in an Insider build of Windows 11, but he noticed the contents of a database file associated with the Windows Registry were accessible to regular users without elevated privileges.

Specifically, Jonas found that he could read the contents of the Security Account Manager (SAM) which holds the hashed passwords for all users on a WIndows PC, as well as that of other Registry databases.

This was confirmed by Kevin Beaumont and Jeff McJunkin, who did some additional testing and found the issue affects Windows 10 versions 1809 and above, right up to the latest Insider build of Windows 11. Versions 1803 and below are unaffected, as are all versions of Windows Server.

Microsoft acknowledged the vulnerability and is currently working on a patch. The company's security bulletin explains that a malicious actor who has successfully exploited this flaw would be able to create an account on the affected machine that would have System-level privileges, which is the highest level of access in Windows. This means the attacker could view and change your files, install apps, create new user accounts, and execute any code with elevated privileges.

It is a serious issue, but there's the chance it hasn't been widely exploited, since the attacker would need to compromise the target system first using a different vulnerability. And according to the US Computer Emergency Readiness Team, the system in question needs to have the Volume Shadow Copy Service turned on.

Microsoft has provided a workaround for people looking to mitigate the issue, which involves restricting access to the contents of the Windows\system32\config folder and deleting System Restore points and Shadow copies. However, this may break restore operations, and that includes restoring your system with the help of third-party backup applications.

If you're looking for an in-depth read about the vulnerability and how it can be exploited, you can find one here. According to Qualys, the security community has discovered two very similar vulnerabilities in Linux which you can read about here and here.

Permalink to story.

 

kiwigraeme

Posts: 481   +370
Volume Shadow Copy Service - if it is what I think it is - it cause a whole evening of wasted time.
I must have turned it on somehow on a PC ( or my young son did ) with a small C drive - Windows kept giving me low space warning - so cleared recycle bin - deleted or moved media , checked the slider of system restore - deleted old windows files - yet my storage kept drifting to zero very quickly . Hidden files showed nothing.
Run a bunch of disk analysers - none of them mentioned shadow volumes as windows hides it well .
Then I think one program showed me something - managed to turn shadow copy off - then I think I needed to grant myself special admin rights to see and delete it - I'm a business man not a system admin - least now I don't have to do reg edits and fix MBR I had to do Windows XP to fix things - or manually repair corrupted windows files
 

yRaz

Posts: 3,814   +3,955
I don't seem to understand, why is windows or Linux saving my passwords? Is it just poorly explained in the article or are we talking about login in credentials on the specific system?

If it's only for login credentials I don't think it's a huge deal, I only keep a password on my system to inconvenience anyone trying to get in
 

duckofdeath

Posts: 448   +586
I don't seem to understand, why is windows or Linux saving my passwords? Is it just poorly explained in the article or are we talking about login in credentials on the specific system?

If it's only for login credentials I don't think it's a huge deal, I only keep a password on my system to inconvenience anyone trying to get in
Because the option would be you having to enter your username and password a thousand times every day...

It's a bad exploit, but the real exploit is the sensationalist names these people comes up with these days. If your system is already compromised by another exploit, anything already goes.
 

seeprime

Posts: 577   +704
Volume Shadow Copy Service - if it is what I think it is - it cause a whole evening of wasted time.
I must have turned it on somehow on a PC ( or my young son did ) with a small C drive - Windows kept giving me low space warning - so cleared recycle bin - deleted or moved media , checked the slider of system restore - deleted old windows files - yet my storage kept drifting to zero very quickly . Hidden files showed nothing.
Run a bunch of disk analysers - none of them mentioned shadow volumes as windows hides it well .
Then I think one program showed me something - managed to turn shadow copy off - then I think I needed to grant myself special admin rights to see and delete it - I'm a business man not a system admin - least now I don't have to do reg edits and fix MBR I had to do Windows XP to fix things - or manually repair corrupted windows files
You could simply run Disc cleanup, then clean up system files. In the right tab select clean up Restore points and VSS (or however it's worded). Let it run, and and existing VSS is gone.
 

kiwigraeme

Posts: 481   +370
You could simply run Disc cleanup, then clean up system files. In the right tab select clean up Restore points and VSS (or however it's worded). Let it run, and and existing VSS is gone.

Checked it now on my W10 - is under more options .MS has so many ways to do things - I knew how to reduce space for restore points - as sometimes windows went crazy claiming lots for it . That shadow copy was trying to backup a 4TB drive onto my 256gb SSD C drive . I was trying quickly to find out why SSD space was getting smaller ( the allocations were out by 100gb ) - I'm not a system admin - it was like MS was creating a bigger hidden partition by the minute - as files were not showing - where I could see the weirdly named system restore ones ( disc analysers see them and anti virus can scan as well ) - think I even try a system restore to stop . Anyway thanks - I think it was a weird one off - not sure how if even started ( maybe my son quite young pressed the windows and crtl keys ) - see there is a Cmd Vssadmin
 

Neatfeatguy

Posts: 444   +707
MS Management: Lots of security issues here, so as non-Microsoft personal and companies bring them to our attention, we'll continue to work on them. In the mean time, what can we do to shine the spotlight on more positive aspects of Windows 11?

MS Peon: Remind the people that we now have soft, rounded corners on the windows! It's such a lovely feature that is cool and calming. This should help calm people down and remind them that we're doing everything in our power to make unnecessary changes that no one asked for, wanted or needed!

MS Management: Um. I like everything you said. Except for maybe we don't tell them that we're working hard on making unnecessary changes that no one asked for, wanted or needed. But, yes! PR Team, make sure you pump out news stories about how much better the Windows 11 UI is so we can squelch some of this negative press information coming out.

MS Peon 2: What about the fact that we broke the same thing on Windows 10? Should we get that fixed as well?

MS Management: I suppose. I want you guys to also look into maybe making the windows having rounded, smooth edges like in Windows 11. I think we just might be on to something new and spectacular with this updated UI on 11.
 

scavengerspc

Posts: 1,587   +1,607
TechSpot Elite
QUOTE - "It is a serious issue, but there's the chance it hasn't been widely exploited, since the attacker would need to compromise the target system first using a different vulnerability. And according to the US Computer Emergency Readiness Team, the system in question needs to have the Volume Shadow Copy Service turned on."

It looks like this "news" once again resulted in more attacks after they broke the story than actually happened beforehand because the dipshits that break it even goes out of their way to tell everyone how to do it.
 

ZedRM

Posts: 616   +386
I tried this on one of my systems. Didn't work. Of course there is a good reason for this, the VSS service has been deleted. I imagine that this exploit is impossible to use if VSS isn't present on in the target system...

And I have just bought Paragon for backups. :(
That's still a good purchase.