Educause Security Discussion mailing list archives

Win10 & Win11 allow local users to READ the SAM (security accounts manager), SYSTEM, and SECURITY

From: Alex Keller <axkeller () STANFORD EDU>
Date: Tue, 20 Jul 2021 18:47:31 +0000

Emerging new chapter in what has been a very rough month for Microsoft - Some versions of Win10 and Win11 allow local 
users to READ the SAM (security account manager), as well as SYSTEM, and SECURITY (path C:\Windows\System32\config):
https://twitter.com/gentilkiwi/status/1417467063883476992

More here:
https://www.bleepingcomputer.com/news/microsoft/new-windows-10-vulnerability-allows-anyone-to-get-admin-privileges/

Implication is that any local user can elevate to SYSTEM (root/admin). Command line output below shows confirmation of 
exposure, if you see "BUILTIN\Users:(I)(RX)" the host is affected.

No acknowledgement from MS yet.

Best,
Alex

Microsoft Windows [Version 10.0.19042.1052]
(c) Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>cd config

C:\Windows\System32\config>icacls.exe SAM
sam BUILTIN\Administrators:(I)(F)
    NT AUTHORITY\SYSTEM:(I)(F)
    BUILTIN\Users:(I)(RX)
    APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
    APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\System32\config>icacls.exe SYSTEM
system BUILTIN\Administrators:(I)(F)
       NT AUTHORITY\SYSTEM:(I)(F)
       BUILTIN\Users:(I)(RX)
       APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
       APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\System32\config>icacls.exe SECURITY
security BUILTIN\Administrators:(I)(F)
         NT AUTHORITY\SYSTEM:(I)(F)
         BUILTIN\Users:(I)(RX)
         APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
         APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

Successfully processed 1 files; Failed processing 0 files



Alex Keller
Stanford | Engineering
Information Technology
axkeller () stanford edu<mailto:axkeller () stanford edu>
(650)736-6421


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Current thread:

Win10 & Win11 allow local users to READ the SAM (security accounts manager), SYSTEM, and SECURITY Alex Keller (Jul 20)