While Microsoft is just beginning to see the end of the tunnel with Printnightmare, a new zero-day flaw discovered this week on Windows is playing the thorns in Microsoft’s side.
Dubbed SeriousSAM, this vulnerability was reported on Twitter by security researcher Jonas Lykkegaard. Microsoft has assigned it CVE-2021-36934, which describes the vulnerability as “elevation of privilege due to overly permissive access control lists (ACLs) on multiple system files, including the account manager database. security (SAM). An attacker who successfully exploited this vulnerability could execute arbitrary code with SYSTEM privileges. An attacker could then install programs; view, modify or delete data; or create new accounts with full user rights. This is therefore a local elevation of privilege, which can allow an attacker who already has limited rights on the device to execute code while having elevated privileges on the machine. This affects both Windows 10 and Windows 11.
Not everyone is SAM
As Benjamin Delpy, the creator of Mimikatz explains, this security flaw stems from a modification introduced by Microsoft during a previous update, which notably allows access to hashes of passwords stored on the machine, “fingerprints” of passwords passed through a cryptographic hash function: “Some Windows files contain the hash of the passwords of different users of the system and other essential security information. In theory, only an administrator account can access this information. But following an update, it was discovered that low-privileged users could access this information, at least in read mode. ”
Technically, however, access to this file is blocked by the operating system, which constantly accesses the SAM security account manager and blocks access to another user. But a workaround has been discovered by relying on the mechanism of “Shadow Copies”: a technology implemented since Windows XP which makes it possible to take snapshots of the system during operation at regular intervals. “The workaround is that we do not seek to access the current database, but only to access the information stored in one of these shadow copies of the system, and the system does not block access to this information in this case. ”
By recovering the hashes of the passwords contained in the system, a low-privilege user can then exploit them in other “pass the hash” type attacks which allow for example to reset the administrator’s password and therefore to take control of the device. Microsoft does not currently offer a fix for this bug, but offers two actions to resolve the problem: a command to restrict access to the security account manager, and the removal of previous shadow copies. “It’s very important to do both: changing the rights ensures that future shadow copies will not allow access to password hashes, and removing old ones ensures that an attacker cannot access old copies to access password hashes ”explains Benjamin Delpy.
It’s not not exactly a first : as Jonas Lykkegaard explains, this opening of access to the security account manager following an update has already happened several times in the past. The security researcher is not at his first attempt and has already reported several similar errors from Microsoft. But according to him, the amount of bonuses granted by Microsoft for its reports is far too low to justify going through the traditional process of disclosure of vulnerabilities: “I would not call that a coordinated disclosure. I just report the problem on Twitter. If I wanted to know the extent of the problem, I would have to set up a server and virtual machines and that would end up costing me more than Microsoft agrees to pay as a bonus. And I don’t intend to do the job for Microsoft. ”
PrintNightmare does persistence
In parallel with this new vulnerability, Microsoft’s setbacks in the face of the PrintNightmare flaw continue. While Microsoft has provided several corrective patches, security researchers continue to find variants that exploit the flaw on systems that have installed the latest updates released by Microsoft.
The latest version was published by Benjamin Delpy, and is still based globally on the same principle: “It is always about the same mechanism, which consists in executing a library with high rights by relying on the mechanism of adding an printer or printer drivers in the print spooler ”explains Benjamin Delpy. A first version of the attack was released on Sunday, and the researcher has since identified new variants. In the latest version of the exploit, the attack makes it possible to obtain persistence on the machine, that is to say the fact that the malicious code is not erased from the machine and is executed automatically on restart. “This is the holy grail of malware, it ensures that the arbitrary code executed will be copied by the print spooler, therefore legitimately, in a place where it will persist after restarting the system” explains the searcher.
Microsoft has not confirmed the effectiveness of this new variant, but has assigned a new CVE identifier to another flaw affecting the print spooler, the description of which seems very similar to the one discovered by Benjamin Delpy. The discovery of it is nevertheless attributed to another researcher, who indicated that he did not consider this one to be a variant of PrintNightmare and that the details of the vulnerability would be revealed during a conference given at the occasion of the DefCon conference. He also indicated that Microsoft had not warned him before publicly awarding this CVE.