#HiveNightmare aka #SeriousSAM — anybody can read the registry in Windows 10

This is the story of how all non-admin users can read the registry — and so elevate privileges and access sensitive credential information — on various flavours of Windows 10. It appears this vulnerability has existed for years, and nobody noticed. In this post I made an exploit to test it.

Press F to pay respects to MSRC (it’s not their fault)
Recently, Jonas tweeted something interesting. What Jonas didn’t realise at the time is Windows 10 also has the same behavior when System Protection aka Shadow Volumes is enabled, which should be the default in a majority of cases.

This is caused by BUILTIN\Users having read access to c:\Windows\System32\config\SAM.
It shouldn’t. That breaks a security barrier, as the SAM is a sensitive registry hive, and BUILTIN\Users include non-administrators.
That folder also has other sensitive registry hives — for example SYSTEM, SECURITY etc — which BUILTIN\Users can access.
This has since become CVE-2021–36934.
Creating an exploit
Normally you cannot access the SAM (or other registry hive files) as they’re in use. To get around this, I used CreateFile to access the device path to the VSC snapshot — used in recovery situations — in a slightly hacky way:
hFile = CreateFile(TEXT(“\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\System32\\config\\SAM”),GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
The exploit is here:
GossiTheDog/HiveNightmare
aka SeriousSam. Exploit allowing you to read any registry hives as non-admin. An exploit for HiveNightmare, discovered…
github.com

Direct link to compiled binary: https://github.com/GossiTheDog/HiveNightmare/raw/master/Release/HiveNightmare.exe
When run, it creates a copy of SAM, SECURITY and SYSTEM files in the working folder, accessible to the logged in, non-admin user.

Here’s a video of how to use my exploit to reach remote code execution as SYSTEM on endpoints:

Mitigations
Microsoft have provided mitigations in their security guide: Security Update Guide — Loading — Microsoft
And an article on removing VSC: KB5005357- Delete Volume Shadow Copies (microsoft.com)
Here is a PowerShell script, which can be deployed via SCCM, to fix the ACL and remove the VSC:
HiveNightmare/Mitigation.ps1 at master · GossiTheDog/HiveNightmare (github.com)
Here is a blog on how to deploy our mitigation in Microsoft Endpoint Manager:
Mitigate HiveNightmare with MEM | The Collective
It’s been only three weeks since the PrintNightmare debacle, which introduced several zero-days into the world of…
thecollective.eu

Detection
Your EDR tools should have logic to look for SAM files being accessed, it it worth asking your EDR vendors for confirmation and detection names.
In the mean time, here are some custom detections:
Microsoft Defender for Endpoint
ThreatHunting/CVE-2021–36934-HiveNightmare-Defender.ahq at master · GossiTheDog/ThreatHunting (github.com)
M365 Defender query link
Mcafee EDR block rule
ThreatHunting/CVE-2021–36934-HiveNightmare-Mcafee at master · GossiTheDog/ThreatHunting (github.com)
Azure Sentinel
ThreatHunting/CVE-2021–36934-HiveNightmare-Sentinel-Events at master · GossiTheDog/ThreatHunting (github.com)
Impacted platforms
All Windows 10 releases through the last 3 years. US-CERT pen the issue as starting in 2018. Microsoft’s MSRC advisory says all Windows 10 versions since 1809.
One thing of note, when you do certain actions it creates a system recovery point (for example, installing 7-zip did on my gaming PC) which appears to play a factor.
Patching
There’s no patches, it’s a zero day.
Don’t panic
As with all things security, don’t panic. It’s just another vulnerability. There’s also still an outstanding an unpatched Print Spooler zero day.

https://vocus.cc/article/60f98e40fd8978000110c5aa
https://blog.goo.ne.jp/xunejdknef/e/1943769b354d37df293051a5b40df422
https://blog.goo.ne.jp/xunejdknef/e/5bb129b2976cda681ec31e0397515027
https://blog.goo.ne.jp/xunejdknef/e/5ef751a12bcb8639f494c3fd5b77b73b
https://blog.goo.ne.jp/xunejdknef/e/1018bcb0b83c666ef0cc6ac5cbff9ca0
https://blog.goo.ne.jp/xunejdknef/e/74d7d3622fb3a45bb6a33c75c7d78342
https://blog.goo.ne.jp/xunejdknef/e/6454fe663a5fdc407c979fcbeaca7d35
https://blog.goo.ne.jp/xunejdknef/e/b2fd020c6ae517484506ca5014c289cb
https://blog.goo.ne.jp/xunejdknef/e/cb26b3a14d2f1ba0adaae585cfb5ada1
https://blog.goo.ne.jp/xunejdknef/e/78aabd0a33c2a01d1afc0ce6820c1d0e
https://blog.goo.ne.jp/xunejdknef/e/e38b757c69f6816152fe4b2428ccf6c6
https://blog.goo.ne.jp/xunejdknef/e/ef3a386ce576c4e1d423572a0fdb2367
https://blog.goo.ne.jp/xunejdknef/e/6c97b98d806317829acf9c203ad88312
https://blog.goo.ne.jp/xunejdknef/e/b3c5f77d2cc81c70aa54dd1849dc2fff
https://blog.goo.ne.jp/xunejdknef/e/4dc69632b421dd2600cafadd6a5525b9
https://blog.goo.ne.jp/xunejdknef/e/ea36503d41dd77fee689ce3814a43a48
https://blog.goo.ne.jp/xunejdknef/e/b40b74d07a899e48b7f82aef88666a1d
https://blog.goo.ne.jp/xunejdknef/e/db84cfc0772635a9e2494b10ee3d78d3
https://blog.goo.ne.jp/xunejdknef/e/02ac4e4faa7dd359af1211b2c875960d
https://blog.goo.ne.jp/xunejdknef/e/4b19997b321c7122d1ca6b765ea2d95a
https://blog.goo.ne.jp/xunejdknef/e/4a72a014e18ed7826a4465297f1f016a
https://blog.goo.ne.jp/xunejdknef/e/87a33fad97e6b5f0a204c902c743dc1f

… and have you finished July’s patching? Really?
My take — ask your EDR vendors for detection, chill, and keep up the fight.
Also, yes, Microsoft really need to look at resourcing on MSRC and Windows OS engineering. Microsoft can’t boast about being a $10bn security company while watching their own products burn down. I mean, they can — but they shouldn’t.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0Shares