A new vulnerability has been discovered in Windows 10 that allows anyone to gain administrator privileges. This vulnerability is due to a file permission issue for some files associated with the Windows Registry. Specifically, security researchers have shown that anyone can access the data stored in Windows 10 Security Account Manager (SAM) files.
The SAM file contains the user credentials of the user on your computer and should, of course, be off limits. However, as security researcher Jonas Lykkeggard pointed out ( Bleeping Computer), The SAM file is actually accessible to anyone. Files are always used by Windows and are not accessible to users and may usually go unnoticed. However, these vulnerabilities in Windows 10 open up the entire potential of worms.
Windows backs up these files when making a shadow copy of the drive, and these backed up files are not used. They still have the same permissions, so any user on your computer can access the backed up SAM files to see other users’ login credentials. This includes an administrator, so you can easily log in to an account with administrator privileges. In the video below, you can see an example of a user who found a hashed NTLM password using this permission monitor. The user can then change the password and use the new password to perform tasks that require administrator privileges.
This vulnerability was apparently introduced in Windows 10, version 1809 when Microsoft changed the registry file permissions. This vulnerability still exists in Windows 10, version 20H2, but seems to only occur if you upgrade to this version. According to security analyst Wildorman, this vulnerability does not exist after a clean install of Windows 10, version 20H2.
Therefore, the scope of this vulnerability is somewhat limited. You’ve had to make a shadow copy of the drive in the past to create an accessible SAM file, but many people don’t. You also need to have a PC for a while without a clean install. Anyway, it’s a big oversight that can cause serious problems. Hopefully Microsoft will publish a fix that will be applied to existing machines in the near future. Most recently, a vulnerability was discovered in the Windows Print Spooler service. This is the second vulnerability in about a month.