Two-for-Tuesday vulnerabilities send Windows and Linux users scrambling

PRIVILEGE ESCALATION —

Both OSes have flaws that allow attackers with a toehold to elevate access.


The world woke up on Tuesday to two new vulnerabilities—one in Windows and the other in Linux—that allow hackers with a toehold in a vulnerable system to bypass OS security restrictions and access sensitive resources.

As operating systems and applications become harder to hack, successful attacks typically require two or more vulnerabilities. One vulnerability allows the attacker access to low-privileged OS resources, where code can be executed or sensitive data can be read. A second vulnerability elevates that code execution or file access to OS resources reserved for password storage or other sensitive operations. The value of so-called local privilege escalation vulnerabilities, accordingly, has increased in recent years.

Breaking Windows

The Windows vulnerability came to light by accident on Monday when a researcher observed what he believed was a coding regression in a beta version of the upcoming Windows 11. The researcher found that the contents of the security account manager—the database that stores user accounts and security descriptors for users on the local computer—could be read by users with limited system privileges.

That made it possible to extract cryptographically protected password data, discover the password used to install Windows, obtain the computer keys for the Windows data protection API—which can be used to decrypt private encryption keys—and create an account on the vulnerable machine. The result is that the local user can elevate privileges all the way to System, the highest level in Windows.

“I don’t know the full extent of the issue yet, but it’s too many to not be a problem I think,” researcher Jonas Lykkegaard noted. “Just so nobody is in doubt what this means, it’s EOP to SYSTEM for even sandboxed apps.”

yarh- for some reason on win11 the SAM file now is READ for users.
So if you have shadowvolumes enabled you can read the sam file like this:

I dont know the full extent of the issue yet, but its too many to not be a problem I think. pic.twitter.com/kl8gQ1FjFt

— Jonas L (@jonasLyk) July 19, 2021

People responding to Lykkegaard pointed out that the behavior wasn’t a regression introduced in Windows 11. Instead, the same vulnerability was present in the latest version of Windows 10. The US Computer Emergency Readiness Team said that the vulnerability is present when the Volume Shadow Copy Service—the Windows feature that allows the OS or applications to take “point-in-time snapshots” of an entire disk without locking the filesystem—is turned on.

The advisory explained:

If a VSS shadow copy of the system drive is available, a non-privileged user may leverage access to these files to achieve a number of impacts, including but not limited to:

  • Extract and leverage account password hashes
  • Discover the original Windows installation password
  • Obtain DPAPI computer keys, which can be used to decrypt all computer private keys
  • Obtain a computer machine account, which can be used in a silver ticket attack

Note that VSS shadow copies may not be available in some configurations; however, simply having a system drive that is larger than 128GB in size and then performing a Windows Update or installing an MSI will ensure that a VSS shadow copy will be automatically created. To check if a system has VSS shadow copies available, run the following command from a privileged command prompt:
vssadmin list shadows

Researcher Benjamin Delpy showed how the vulnerability can be exploited to obtain password hashes or other sensitive data:

Currently, there is no patch available. A Microsoft representative said company officials are investigating the vulnerability and will take appropriate action as needed. The vulnerability is being tracked as CVE-2021-36934. Microsoft said here that exploits in the wild are “more likely.”

Et tu, Linux kernel?

Most versions of Linux, meanwhile, are in the process of distributing a fix for a vulnerability disclosed on Tuesday. CVE-2021-33909, as the security flaw is tracked, allows an untrusted user to gain unfettered system rights by creating, mounting, and deleting a deep directory structure with a total path length that exceeds 1GB and then opening and reading the /proc/self/mountinfo file.

Read More

News Bot

Share
Published by
News Bot

Recent Posts

How to watch this month’s spectacular Perseid meteor shower

Meteor showers are as entertaining as they are awe-inspiring and we’re in for a real…

2 mins ago

The best iPhone games currently available (August 2021)

While gaming phones are picking up steam, there’s often no better gaming phone to buy…

2 mins ago

Winning Olympians are having a Zoom moment straight after victory

The 2020 Tokyo Olympics and Paralympics are well and truly underway, albeit a year late.…

2 mins ago

Performance enhancing shoes? How Nike’s controversial Vaporfly line redefined running

“Fast” is the word that Rachel Bull, senior footwear product director at Nike Running, uses…

2 mins ago

A.J. McKee finishes Patricio ‘Pitbull’ to earn $1,000,000 and the featherweight championship at Bellator 263

A.J. McKee remained undefeated, won the Bellator Featherweight Grand Prix, captured the featherweight championship and…

3 mins ago

Cheyanne Buys banks a bonus for UFC Vegas 33 co-main event finish

Melsik Baghdasaryan, Cheyanne Buys, Jason Witt, and Bryan Barberena all walked away from UFC Vegas…

3 mins ago