Wrong Windows file permissions allow admin privilege escalation

The United States Computer Emergency Response Team is warning that starting with Windows 10 build 1809, non-administrative system users have read and execute permissions to important Registry configuration files, which allows for easy local privilege escalation attacks.

Non-privileged Windows users can access the SYSTEM, SECURITY and Security Account Manager (SAM) configuration files which contain sensitive information that can be used for account impersonation, CERT-CC said.

The information in the configuration files can be accessed through the Windows Shadow Volumes used for system restoration, researcher Jonas Lykkegard found.

With the information at hand, locally authenticated attackers can elevate even sandboxed (fenced off) apps to high SYSTEM privileges.

CERT-CC said access to the configuration files can be used to extract account password hashes, and to find the original Windows installation passphrase.

It is also possible to obtain Data Protection Application Programming Interface (DPAPI) computer keys which in turn can be used to decrypt all private keys on a computer, with a range of other threat scenarios possible.

As a workaround, CERT-CC suggests administrators remove the low-privileged users group having access to the SAM, SECURITY and SYSTEM files, using the Windows icacls command.

Administrators should also delete volume shadow copies that contain backed up configuration files with the wrong access control attributes, using the vssadmin command.