This is the story of how all non-admin users can read the registry — and so elevate privileges and access sensitive credential information — on va

#HiveNightmare aka #SeriousSAM — anybody can read the registry in Windows 10

submited by
Style Pass
2021-07-24 11:00:08

This is the story of how all non-admin users can read the registry — and so elevate privileges and access sensitive credential information — on various flavours of Windows 10. It appears this vulnerability has existed for years, and nobody noticed. In this post I made an exploit to test it.

R ecently, Jonas tweeted something interesting. What Jonas didn’t realise at the time is Windows 10 also has the same behavior when System Protection aka Shadow Volumes is enabled, which should be the default in a majority of cases.

It shouldn’t. That breaks a security barrier, as the SAM is a sensitive registry hive, and BUILTIN\Users include non-administrators.

Normally you cannot access the SAM (or other registry hive files) as they’re in use. To get around this, I used CreateFile to access the device path to the VSC snapshot — used in recovery situations — in a slightly hacky way:

hFile = CreateFile(TEXT(“\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\System32\\config\\SAM”),GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

Leave a Comment