Monday, July 26, 2021

Windows Elevation of Privilege Vulnerability


Overview

An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Test for Vulnerability

To check if your Windows 10 or Windows 11 installation is affected, you can open a command prompt and enter the following command:
icacls c:\windows\system32\config\sam
If the output displays the following permission, your Windows installation is affected by the vulnerability.
BUILTIN\Users:(I)(RX)

Workaround

Restrict access to the contents of %windir%\system32\config

Windows PowerShell (Run as administrator):

icacls $env:windir\system32\config\*.* /inheritance:e

How can I delete Volume Shadow Copies?

To delete all shadow copies of the system drive, run the following command:

 vssadmin delete shadows /for=%systemdrive% /Quiet

To confirm that all shadow copies were deleted, you may run this command again: 

 vssadmin list shadows /for=%systemdrive%

If there are no shadow copies on your system drive, you will receive output that says:

vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.
No items found that satisfy the query.

Create a Restore Point
Since all restore points have been erased, you may wish to create a new restore point after you have fixed the vulnerability.

Attributions

2 comments: