A SAM-wise Travesty And A Very Long Path
There are a pair of newly discovered vulnerabilities to add to the nightmares of sysadmins everywhere, both those running Windows and Linux infrastructures. In one case it is an issue with the security of system passwords while the other is an odd way to gain escalated privileges and sadly both are still currently exploitable.
The Windows vulnerability was discovered by a researcher looking through the current Windows 11 beta, who discovered that the security account manager is set to allow users to read it. Even more depressing was their discovery that the same issue exists on Windows 10. The SAM is where Windows stores password hashes for both system and user accounts, and is something you definitely don’t want just anyone to be able to read. If the files can be read they can be extracted and decrypted, which will give an attacker a chance to discover everything from the password used to set up Windows to a system key that will let you decrypt any and all private keys on the system.
It is caused by the Volume Shadow Copy Service, a handy tool that Windows uses to take a snapshot of the OS without locking the entire system and runs just about any time you run Windows Update or an MSI installer. You can see if the service is running by entering in vssadmin list shadows to an elevated command prompt.
The Linux vulnerability is recently discovered but not at all new, though to implement it you have to do something a little odd. If you create, mount and then delete a folder whose path name exceeds 1GB in total you can then read the /proc/self/mountinfo on the system and gain full system rights. The researcher describes having to create around 1 million subdirectories to be able to hit that 1GB mark to trigger the privilege escalation. This will currently work on Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation, with more possible.
Keep an eye out for patches, hopefully more effective ones than PrintNightmare.