September 25, 2021

Malware Protection

Dedicated Forum to help removing adware, malware, spyware, ransomware, trojans, viruses and more!

Security – New Windows CONFIG vulnerability July 2021

Patching & mitigation workarounds for this newly discovered security weakness should be carefully watched in case zero day attacks emerge

VU#506989 – Microsoft Windows gives unprivileged user access to system32config files (cert.org)

With multiple versions of Windows, the BUILTINUsers group is given RX permissions to files in the %windir%system32config directory.

If a VSS shadow copy of the system drive is available, a non-privileged user may leverage access to these files to achieve a number of impacts, including but not limited to:

    • Extract and leverage account password hashes.
    • Discover the original Windows installation password.
    • Obtain DPAPI computer keys, which can be used to decrypt all computer private keys.
    • Obtain a computer machine account, which can be used in a silver ticket attack.

Note that VSS shadow copies may not be available in some configurations, however simply having a system drive that is larger that 128GB in size and then performing a Windows Update or installing an MSI will ensure that a VSS shadow copy will be automatically created. To check if a system has VSS shadow copies available, run the following command from a privileged command prompt: