The United States Computer Emergency Response Team is warning that starting with Windows 10 build 1809, non-administrative system users have read and execute permissions to important Registry configuration files, which allows for easy local privilege escalation attacks.
Non-privileged Windows users can access the SYSTEM, SECURITY and Security Account Manager (SAM) configuration files which contain sensitive information that can be used for account impersonation, CERT-CC said.
The information in the configuration files can be accessed through the Windows Shadow Volumes used for system restoration, researcher Jonas Lykkegard found.
yarh- for some reason on win11 the SAM file now is READ for users.
— Jonas L (@jonasLyk) July 19, 2021
So if you have shadowvolumes enabled you can read the sam file like this:
I dont know the full extent of the issue yet, but its too many to not be a problem I think. pic.twitter.com/kl8gQ1FjFt
With the information at hand, locally authenticated attackers can elevate even sandboxed (fenced off) apps to high SYSTEM privileges.
CERT-CC said access to the configuration files can be used to extract account password hashes, and to find the original Windows installation passphrase.
It is also possible to obtain Data Protection Application Programming Interface (DPAPI) computer keys which in turn can be used to decrypt all private keys on a computer, with a range of other threat scenarios possible.
As a workaround, CERT-CC suggests administrators remove the low-privileged users group having access to the SAM, SECURITY and SYSTEM files, using the Windows icacls command.
Administrators should also delete volume shadow copies that contain backed up configuration files with the wrong access control attributes, using the vssadmin command.
