Fire up an administrative command-line window, as above. Note that this workaround will delete existing shadow copies, so your computer will temporarily be without a restore point.ġ. Now what?ĬERT/CC's Dormann recommends taking the following steps to dodge the risk of attacks using this flaw. If regular users can read the SAM file AND shadow copies exist, then your Windows system is vulnerable to attack. Here's what you might get if you don't: No items found that satisfy the query. Provider: 'Microsoft Software Shadow Copy provider 1.0'Īttributes: Persistent, Client-accessible, No auto release, Differential, Auto recovered Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2 If so, then you have shadow copies: Contents of shadow copy set ID: \ You may get a full report that looks like this. Once the command-prompt window is open, type this and hit Enter: vssadmin list shadows If you're not already an administrator, type "cmd" into the search bar again and then right-click "Command Prompt" and select "Run as administrator" and enter your Windows password or PC PIN when prompted. For that, you'll need to be using the command-prompt as an administrator. If so, then you'll want to check if shadow copies exist. then it means unprivileged users can read the SAM file and your system may be vulnerable. If you get a response that includes this line: BUILTIN\Users:(I)(RX) You can see if your PC is vulnerable to this flaw by checking two things.įirst, fire up the Windows command-prompt (type "cmd" into the search bar at the bottom of the screen), type this, then hit Enter: icacls c:\windows\system32\config\sam The advisory promises future "mitigations and workarounds as our investigation progresses."įor the moment, the only mitigation for this flaw that Tom's Guide is aware of is outlined below. "An attacker must have the ability to execute code on a victim system to exploit this vulnerability." An attacker could then install programs view, change, or delete data or create new accounts with full user rights," it added. "An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. "An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database," said the advisory. In the hours after we first published this story, Microsoft issued a security advisory for this flaw and issued it the catalogue number CVE-2021-36934. So crafty malware that got onto a PC via a phishing email, pirated software, or a malicious web link would be able to locate the SAM file in the shadow copy, read the user password hashes and probably have a fair chance at cracking the hashes or using them to log onto remote servers.Įven the best Windows 10 antivirus software might not be able to stop all such attacks. Even if it's using a unique file name, it's a predictable file name in a predictable location. For most PCs, that means a new shadow copy every month.Ī shadow copy isn't always that hidden. Your PC creates a shadow copy every time it installs a system update or upgrade. But Lykkegaard found that he, even as an unprivileged user, could access the backed-up version of the SAM file in the "shadow copy" that most Windows systems create.Ī shadow copy is a backup, hidden on the main drive, of a Windows system's most important files. It's not easy for any user to access the SAM file while a computer is running. So it's not good when any piece of software or any user on a Windows system can suddenly see the NTLM hashes of all the other users' passwords. The problem is that the NTLM algorithm is pretty weak, and hashes can often be "cracked," or reversed to give the original password.Įven worse, some Windows-related functions, such as accessing a networked server, let you log in using the NTLM hash rather than the password itself. As an example, the hash of "password", using Microsoft's own NTLM algorithm, is "8846F7EAEE8FB117AD06BDD830B7586C". "Hashing" passwords means running them through a one-way encryption algorithm that cannot (in theory) be reversed. The SAM file in the Windows Registry contains "hashed" versions of all the user passwords on a given Windows system, including the passwords of administrative users. See more So what's up with this Windows flaw?
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |