Educause Security Discussion mailing list archives
Win10 & Win11 allow local users to READ the SAM (security accounts manager), SYSTEM, and SECURITY
From: Alex Keller <axkeller () STANFORD EDU>
Date: Tue, 20 Jul 2021 18:47:31 +0000
Emerging new chapter in what has been a very rough month for Microsoft - Some versions of Win10 and Win11 allow local users to READ the SAM (security account manager), as well as SYSTEM, and SECURITY (path C:\Windows\System32\config): https://twitter.com/gentilkiwi/status/1417467063883476992 More here: https://www.bleepingcomputer.com/news/microsoft/new-windows-10-vulnerability-allows-anyone-to-get-admin-privileges/ Implication is that any local user can elevate to SYSTEM (root/admin). Command line output below shows confirmation of exposure, if you see "BUILTIN\Users:(I)(RX)" the host is affected. No acknowledgement from MS yet. Best, Alex Microsoft Windows [Version 10.0.19042.1052] (c) Microsoft Corporation. All rights reserved. C:\WINDOWS\system32>cd config C:\Windows\System32\config>icacls.exe SAM sam BUILTIN\Administrators:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Users:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX) Successfully processed 1 files; Failed processing 0 files C:\Windows\System32\config>icacls.exe SYSTEM system BUILTIN\Administrators:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Users:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX) Successfully processed 1 files; Failed processing 0 files C:\Windows\System32\config>icacls.exe SECURITY security BUILTIN\Administrators:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Users:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX) Successfully processed 1 files; Failed processing 0 files Alex Keller Stanford | Engineering Information Technology axkeller () stanford edu<mailto:axkeller () stanford edu> (650)736-6421 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Win10 & Win11 allow local users to READ the SAM (security accounts manager), SYSTEM, and SECURITY Alex Keller (Jul 20)