As if the nightmare of Windows, which doesn’t haunt all of our inkjet printers, was enough…
…here is another bug, one released by Microsoft 20 07/07/2021, which may reveal important secrets of the Windows Registry.
This virus, variously labeled CVE-2021-36934, has led to the nicknames HiveNightmare and SeriousSAM.
The name of the game HiveNightmare comes from the fact that many Windows systems store registry data in a small number of proprietary database clips called hives or hive files in Microsoft jargon.
These firewallhive.com files include three SAM
files, also known as SECURITY
and SYSTEM
, which together contain important data including passwords, passwords, and the security of ordinary users should not have access to it.
They are stored in a special and supposedly safe folder in the Windows directory named C:\Windows\System32\config
, as you can see here:
The name SeriousSAM comes from the filename If you have ever used password crackers or hacking tools (or found them on your network shortly after an active attack was discovered), rest assured that the SAM database is secure. get administrator credentials for browsing network. Fortunately, you already need administrator access to view the SAM data in the storage area, and you cannot get the SAM registry hive to disk while Windows is running, even if you are an administrator, because the SAM data is displayed above. blocked for use by the operating system only. We have written something like a little C program that you should definitely use get for “accessibility meter” for each file in code.computer – it just tries to open the filename or public filenames that you have added Command Prompt and Windows to. information about the error code, our when the file cannot be opened for reading. (The code below is public, so anyone can do whatever they want with it, but use it at your own risk.) You don’t even need the Windows header files to put them together; Just tell your compiler or linker which Void — *CreateFileA(char *name,unsigned mode,unsigned share,void *sec,unsigned disp,unsigned attr,void *tmpl); int argc, main(int char **argv) From an elevated shortcut command (i.e. run as administrator) we get the following output: The error means Let’s repeat from a non-elevated Rapid team where we’re running as a temporary chkit user: We are [c:\windows\system32\config\sam] Error 0x20 means support had a choice when opening the file and at the time it failed rather than looking stuck even when trying to open the file in the correct location. And if we look, for example, at the ACL (Access Control List) for the SAM hive file, usually with the In other words, the data in the SAM registry (and the files in the We need to fix this vulnerability. Microsoft’s official workaround is also to restrict access control databases (ACLs) to everything and, in the following sections, to the You must be an administrator and change the security ICACLs used: Now the ACL for the 1 files processed successfully; File processing error 0
While we try to re-open the active We are now getting a clearly security related error 0x05 related to If your computer has a system restore point (also called volume shadow copies), these include point copies of your In other words, an unprivileged user canplace it to read executable data, e.g. Of course, you can have one or more snapshots on your computer, unless you yourself went to the general system protection menu and went to
C:\Windows\System32\config> directory
[. . .]
Directory C:\Windows\System32\config
[. . .]
07/21/2021 12:57 524 288 BBI
06/25/2021 Model 06:21 28,672 BCD
21.07.2021 14:45 768 32 COMPONENTS
21 000.07.2021 12:57 786.432 MALFUNCTION
21.07.2021 12:32 194 4 304 DRIVERS
[. . .]
07/21/2021 12:57 65.SAM 536 <--some systems contain
21.07.2021 12:57 32.768 SECURITY SECRETS <--some included
07.21.2021 12:57 87.556.096 SOFTWARE
07/21/2021 11 12:57 272 192 SYSTEM <- some system factors included
[. . .]
SAM
, which is short for Security for Account Manager, a name that sounds like the contents of the file are serious.P>Who Can See What?
kernel32.dll
and msvcrt.dll
they need:
/* SET —.C */
int CloseHandle * (empty hnd);
printf no GetLastError(void);
signed int(char *fmt, …);
for (int i equals 1; i < argc; i++)
printf("Open database [%s]\n",argv[i]);
void *hnd = CreateFileA(argv[i],0x80000000L,0,0,3,0x80,0);
in cases where ((longint)hnd == -1)
printf("Error (GetLastError=0x%08X)\n",GetLastError());
different
printf("Worked Int)hnd);
(handle=%ld)\n",(long CloseHandle(hnd);
page is 0 again;
C:\Users\duck>chkit C:\Windows\System32\config\SAM C:\Windows\System32\config\SECURITY
Open c:\windows\system32\config\system file [C:\Windows\System32\config\SAM]
Error (GetLastError=0x00000020)
Open the file [C:\Windows\System32\config\SYSTEM]
Error (GetLastError=0x00000020)
Open the file [C:\Windows\System32\config\SECURITY]
Error 0x20 (getlasterror=0x00000020)
ERROR_SHARING_VIOLATION
, legally described by Microsoft as “The process does not have permission to access the file because it is being used by another process”.
C:\Users\duck > open c:\windows\system32\config\sam
File (GetLastError=0x00000020)
failed, error 0x05 should have popped up immediately, compact for an explicit ERROR_ACCESS_DENIED
.ICACLS
utility, we can see that all this behavior is due to a security vulnerability: /p>
C:\Windows\System32>config\SAM
config\SAM icacls BUILT-IN\Administrators:(I)(F)
NT\SYSTEM AUTHORITY:(I)(F)
BUILTIN\Users:(I)(RX) <-- this is incorrect - consumer users should not have access to analytics!
APP PACKAGE AUTHORITY / ALL app packages: (i) (rx)
APP PACKAGE PERMISSION\ALL APP PACKAGES LIMITED:(I)(RX)
Files processed successfully; 1 Unable to save 0 files
SECURITY
and hence the SYSTEM
hive) are protected from power user access at runtime because the files are used in a different place, and not because transmission to ordinary users is prohibited from the very beginning.CONFIG
directory. Required
C:\Users\duck>%windir%\system32\config\*.* /inheritance:e
processed music file: C:\Windows\system32\config\BBI
[. . .]
processed file: C:\Windows\system32\config\SAM
[. . .]
processed th file: C:\Windows\system32\config\SECURITY
[. . .]
processed registry: C:\Windows\system32\config\SYSTEM
[. . .Contract]
successfully 42 files; File processing error 0
SAM
file we both checked above looks much healthier:
C:\Windows\System32>icaclsconfig\SAM
config\NT SAM AUTHORITY\SYSTEM:(I)(F)
INTEGRATED\Administrators:(I)(F)SAM
registry hive file from a non-admin command prompt, we no longer encounter the 0x20 error.ACCESS_DENIED
:
C:\Users\duck>chkit C:\Windows\System32\config\SAM
File opened (GetLastError=0x00000005)
Always [c:\windows\system32\config\sam]
Failure Not Done!SAM
, SECURITY, and
SYSTEM< /code> - Hive machine with old and insecure access control settings file.