Windows 10 version 1809 and newer could be affected by this vulnerability. According to Microsoft, an elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
This means, we, as non-admin user, don't need to crack the hashes any more; we can use Mimikatz, for instance, to elevate privileges using this extracted data.
The advisory states that, if successfully exploited, this bug, dubbed by some as HiveNightmare, can be used to:
- Extract and leverage account password hashes.
- Discover the original Windows installation password.
- Obtain DPAPI computer keys, which can be used to decrypt all computer private keys.
- Obtain a computer machine account, which can be used in a silver ticket attack.
Or, shorter, "a local authenticated attacker may be able to achieve [local privilege escalation], masquerade as other users, or achieve other security-related impacts." This can be used to thoroughly infect a system with malware, snoop on other users, and so on.
According to the advisory: "Note that VSS shadow copies may not be available in some configurations, however simply having a system drive that is larger that 128GB in size and then performing a Windows Update or installing an MSI will ensure that a VSS shadow copy will be automatically created."
US-CERT describes how to detect whether you have VSS shadow copies available, and it involves running vssadmin list shadows as a privileged user and seeing if any shadow copies are listed.
The VSS shadow copies are a key ingredient because the registry hive files are in use by Windows during normal operation, so can't be accessed by a normal user even with the loose ACL. However, if shadow copies available, you'll find you can open copies of the files for inspection thanks to the sloppy ACL.
[ CVE Description ]
[*] CVE_ID : CVE-2021-36934
[_] Desc : Microsoft Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by an overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to execute arbitrary code with SYSTEM privileges..
[_] C:2021-07-20 / P:2021-07-20 / L:2021-07-20
[*] Vuln Risk : 18.5605
[*] Exploited [trend] : 0 [holding]
[_] Exploit/likehood : False/None
[*] Malware sample : 0
[*] Exploits/POC : [0]
[_] Fixes : [0]
[_] Threat Actors : [0]
[_] CVSS2 / CVSS3 : [ 6.8 / 7.8 ]
[_] Vuln Products : [0]
[ CVE Malware Family Info : None ]
[ High_Profile_Vulnerability ]
[!!!] CVE-2021-36934 (18.5605) : []
** [5] threads completed [2 tasks] / [1.99 KB] within [2.60 sec].
** [ 2021-07-22 ]