├── Readme.md
└── SAM_Permissions
    ├── readme.md
    └── SAM_Permissions_Check.ps1


/Readme.md:
--------------------------------------------------------------------------------
 1 | # Guidance & Advice
 2 | 
 3 | This is the JUMPSEC Labs repo for guidance, advice, scripts, and tips for new threats and vulnerabilities.
 4 | 
 5 | You can [follow us on Twitter](https://twitter.com/JumpsecLabs?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) for the freshest content and the worst hot takes!
 6 | 
 7 | ## Guidance
 8 | * 2021 July 20th: [SAM file could be read by any user, due to permissions error](SAM_Permissions/readme.md)
 9 | * 2021 July 12th: [PrintNightmare, which involved the print Spoooler being abused for RCE and PrivEsc](https://github.com/JumpsecLabs/PrintNightmare)
10 | 


--------------------------------------------------------------------------------
/SAM_Permissions/readme.md:
--------------------------------------------------------------------------------
 1 | # SAM bad read permissions
 2 | 
 3 | Recently, [some](https://twitter.com/jonasLyk/status/1417205166172950531) [Tweets](https://twitter.com/jeffmcjunkin/status/1417281315016122372)  seemed to evidence a number of Windows machines had badly set permissions that allowed any user to read the *SAM file*
 4 | 
 5 | ###### UPDATE
 6 | This all applies to SECURTY and SYSTEM files too. Meaning an adversary with mimikatz and a shell in your internal network can trivally privesc AND steal credentials. 
 7 | 
 8 | Our original script originally scanned the SAM file and confirmed if vulnerable or not to permissions mistake. We have put together an [additional script](#Wider-permissions-check) that will scan all three files. This is overkill, as permissions for the SAM file are likely the same for the SYSTEM and SECURITY files too. But it's still nice to have the script confirm this. 
 9 | 
10 | ## Why is this bad?
11 | 
12 | The SAM file should definitely NOT be readable by every user. This file can be abused by adversaries to facilitate privilege escalation and password theft from users on a macine.
13 | 
14 | You can read more about [the dangerous details behind this misconfiguration](https://www.kb.cert.org/vuls/id/506989)
15 | 
16 | ## How can I check if I am vulnerable?
17 | 
18 | Great question! We wrote a [short script](SAM_Permissions_Check.ps1) that will help confirm or deny if your SAM, SECURITY, and SYSTEM files have bad permissions and therefore if your machine is vulnerable or not to this potential privesc.
19 | 
20 | Please run the [script](SAM_Permissions_Check.ps1) as Admin.
21 | 
22 | ### Usage
23 | You can pull the script via `invoke-webrequest`, or just copy and paste it if your environment doesn't allow scripts to be pulled from the internet. 
24 | ```powershell
25 |  Invoke-WebRequest -URI https://raw.githubusercontent.com/JumpsecLabs/Guidance-Advice/main/SAM_Permissions/SAM_Permissions_Check.ps1 -OutFile ./SAM_Permissions_Check.ps1  -usebasicparsing
26 | ```
27 | 
28 | And execute as Admin.
29 | ```powershell
30 | .\SAM_Permissions_Check.ps1
31 | 
32 | #if you have permissions errors, try:
33 | Unblock-File -path C:\path\to\SAM_Permissions_Check.ps1
34 | powershell -exec bypass .\SAM_Permissions_Check.ps1
35 | ```
36 | If the machine is vulnerable, expect the RED warning text; if the machine isn't vulnerable, expect the GREEN warning text.
37 | 
38 | ![vuln](https://user-images.githubusercontent.com/44196051/126726994-3d004065-9f7a-449f-bbcb-f1dd6ac02241.png)
39 | 
40 | ![safe](https://user-images.githubusercontent.com/44196051/126726996-6cba88a8-a08a-4837-ad90-2a88cd3cf934.png)
41 | 
42 | ##### Optional extra if you're vulnerable
43 | We added the option if you are vulnerable to collect OS version and build details, to contribute to data gathering that is occuring on Twitter and other places. This aims to understand which OS versions exactly are vulnerable
44 | 
45 | ![OS](https://user-images.githubusercontent.com/44196051/126727076-9aa48ae4-f227-4049-81de-7415d3e9e6b4.png)
46 | 
47 | 
48 | ### One-liner alternative
49 | If you just want a one-liner to chuck into a tool like Velociraptor then you can use this:
50 | ```powershell
51 | $ErrorActionPreference = "SilentlyContinue" ;
52 | if ((get-acl C:\windows\system32\config\sam).Access | 
53 | ? IdentityReference -match 'BUILTIN\\Users' | 
54 | select -expandproperty filesystemrights | 
55 | select-string 'Read'){write-host "May be vulnerable: Arbitrary Read permissions for SAM file"
56 | }else { write-host "Does not seem to be vulnerable, SAM permissions are fine"}
57 | ```
58 | ![image](https://user-images.githubusercontent.com/49488209/126365217-d0915956-d1c1-4223-9521-2e82e6290e3d.png)
59 | 
60 | ### Defences
61 | Latest workaround by [Microsoft can be found here](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934). There are two portions to this workaround:
62 | * Change File Permissions - Easy
63 | * Remediate Volume Shadow Service - Complicated
64 | 
65 | ###### Change file permissions
66 | This can be easily done with the following command. It does not appear to have negative impact on the OS:
67 | ```cmd
68 | icacls %windir%\system32\config\*.* /inheritance:e
69 | ```
70 | ###### Remediate VSS
71 | Changing this may present complications for your backup solutions. Please test this option on a control machine before attempting domain wide.
72 | 
73 | [TrueSec](https://blog.truesec.com/2021/07/20/hivenightmare-a-k-a-serioussam-local-privilege-escalation-in-windows/) have good guidance on manipulating the VSS for defence
74 | 


--------------------------------------------------------------------------------
/SAM_Permissions/SAM_Permissions_Check.ps1:
--------------------------------------------------------------------------------
  1 | <#
  2 | Meta
  3 |     Date: 2021 July 20th; Updated: 2021 July 23rd
  4 |     Authors: Tom Ellson (@tde_sec) & Dray Agha (@Purp1eW0lf)
  5 |     Company: JUMPSEC Labs
  6 |     Purpose: CVE-2021-36934 Confirmation
  7 | #>
  8 | 
  9 | #setup
 10 | #Ensure errors don't ruin anything for us
 11 | $ErrorActionPreference = "SilentlyContinue"
 12 | #collect FQDN variable
 13 | $Name = ([System.Net.Dns]::GetHostByName(($env:computerName))).Hostname
 14 | 
 15 | #Creation functions
 16 | 
 17 | #this will ask vulnerable user if they want to collect their OS details
 18 | function OS_Question {
 19 |     #sleep so user doesn't get overwhelmed with text.
 20 |     sleep 1.5
 21 |     
 22 |     write-host "`nThe information security community is keen to gather the specific Windows OS Versions and Builds that this permission misconfiguration has occured in"
 23 |     write-host "`nWould you like to gather the specific details of your OS to possibly share on Twitter?"
 24 |     write-host "`n[1] " -ForegroundColor magenta -NoNewline; write-host "Collect OS details"
 25 |     write-host "[2] " -ForegroundColor magenta -NoNewline; write-host "Quit Script`n"
 26 |     $question = read-host " "
 27 | 
 28 |     # this is essentially if/ else
 29 |     $result = switch ( $question )
 30 |     {
 31 |         1 {OS_Collection}
 32 |         2 {write-host "`nWe have remediation advice back in the Github Repo! Follow us on Twitter: Tom Ellson (@tde_sec) & Dray Agha (@Purp1eW0lf)`n"; exit}
 33 |     }
 34 | }
 35 | #this function will collect OS details
 36 | function OS_Collection {
 37 |     write-host -foregroundcolor Magenta "`nRunning OS Collection.......`n"
 38 | 
 39 |     #Variables for OS version. This takes a while to collect
 40 |     $SysInfo = gin
 41 |     $OS = $SysInfo.OsName
 42 |     $Ver = $SysInfo.WindowsVersion
 43 |     $Build= $SysInfo.OSBuildNumber
 44 | 
 45 |     #demarcate OS Info section
 46 |     Write-host "`n---OS Info---"
 47 | 
 48 |     #print variables for OS version. Stupid formatting here to get the colours because I am extra
 49 |     Write-host -foregroundcolor Magenta "`n$Name " -NoNewline
 50 |     write-host "is running " -NoNewline 
 51 |     write-host -foregroundcolor Magenta "$OS " -NoNewline
 52 |     write-host "version number " -NoNewline
 53 |     write-host -foregroundcolor Magenta "$Ver " -NoNewline
 54 |     write-host "and build number "  -NoNewline
 55 |     write-host -foregroundcolor Magenta "$Build " -NoNewline
 56 |     write-host "and is vulnerable to " -NoNewline
 57 |     write-host -foregroundcolor Magenta "CVE-2021-36934`n" -NoNewline
 58 |     sleep 1.5
 59 |     write-host "`nWe have remediation advice back in the Github Repo! Follow us on Twitter: Tom Ellson (@tde_sec) & Dray Agha (@Purp1eW0lf)`n"; exit
 60 | }
 61 | #This functions 'greps' for the vulnerable strings in the permissions of SAM, SECURITY, and SYSTEM in a for loop.
 62 | function vulnerable_perm{
 63 |     ###Determine if SAM is vulnerable###
 64 | 
 65 |     #demarcate results section
 66 |     write-host "`n---Vulnerability Results---"
 67 | 
 68 |     ##for loop to collect permissions for SAM, SECURITY, and SYSTEM. Likely overkill, as the permissions for one are likely the permissions for all.
 69 |     $items = @("SAM", "SECURITY", "SYSTEM"); foreach ($item in $items){
 70 | 	    $ErrorActionPreference = "SilentlyContinue" ;
 71 |         if ((get-acl C:\windows\system32\config\$item).Access |
 72 | 	        ? IdentityReference -match 'BUILTIN\\Users' | 
 73 | 	        select -expandproperty filesystemrights | 
 74 | 	        select-string 'Read')
 75 | 	        {write-host -foregroundcolor Red "`n$Name may be vulnerable: Arbitrary Read permissions for $item file`n"}
 76 |         else {
 77 | 	        write-host  -foregroundcolor Green "`n$Name does not seem to be vulnerable, $item permissions are fine`n"}
 78 |         }
 79 |         #The logic here is basic on filtering the permissions for the SAM, security, and system files until we get the permissions string. The permissions string we alert as 'vuln' for is 'Read'.
 80 | 	        # If the script cannot access the permissions, if the script gets a different permission string, it will return as 'not vuln', which should be accurate but of course explore this further. 
 81 | 
 82 | # this is the stupidest thing I've ever written....but essentially, I'm tired
 83 |     if ((get-acl C:\windows\system32\config\SAM).Access |? IdentityReference -match 'BUILTIN\\Users' |  select -expandproperty filesystemrights | select-string 'Read')
 84 |          {OS_Question}
 85 |     else 
 86 |          {write-host "`nGlad you're safe. Follow us on Twitter: Tom Ellson (@tde_sec) & Dray Agha (@Purp1eW0lf)`n"; exit}
 87 | }
 88 | #where the first and main part of the script is executed
 89 | function main {
 90 |     #Print basic script info
 91 |     Write-host "`nThis script will confirm if machine is vulnerable to " -NoNewline
 92 |     write-host -foregroundcolor Magenta "CVE-2021-36934"
 93 |     write-host "Where the SAM, SECURITY, SYSTEM files can be read by any user due to a vulnerable permissions misconfiguration`n"
 94 |     sleep 1.5
 95 |     #Determine vulnerability
 96 |     vulnerable_perm
 97 | }
 98 | #This executes the first function which triggers all the others
 99 | main
100 | 


--------------------------------------------------------------------------------