Exploiting Windows User Class Registry Hives: A New Vulnerability Emerging
Recent findings highlight a significant security vulnerability within the Windows operating system, capable of enabling attackers to gain de facto administrative privileges without requiring admin credentials. Will Dormann, a senior principal vulnerability analyst at Tharros Labs, explained in an interview that if an attacker can configure a system to execute their code upon the admin user’s login, they effectively bypass the necessity of administrative access.
According to Dormann, a non-administrator’s capability to modify the classes registry hive for an admin user presents a serious risk. He emphasized that skilled attackers can leverage this mechanism to execute complex actions that might not necessitate user interaction, showcasing the vulnerability’s potential for misuse.
The exploit can potentially be combined with other vulnerabilities to provide an attacker with direct entry into an administrative account. This compounding risk exacerbates security concerns for organizations that utilize the Windows operating system, underscoring the necessity for robust security measures.
An additional perspective from another cybersecurity analyst elaborates on the mechanics behind this vulnerability. When a new user logs into a Windows system, the operating system attempts to load the user’s class hive. However, since the user isn’t logged in yet, this loading occurs under the context of NT AUTHORITY\SYSTEM, allowing for the exploitation of what they have termed the “LegacyHive” framework.
Microsoft has acknowledged awareness of this vulnerability and is actively investigating the issue. They have advised that individuals discovering vulnerabilities adhere to their coordinated disclosure policy, which emphasizes collaboration in reporting and addressing security flaws.
For organizations that want to mitigate risks associated with this vulnerability, immediate protective measures are recommended. Windows users can implement a detection script developed by independent researcher Kevin Beaumont to identify potential exploitation attempts. Additional defensive strategies include restricting the creation of local non-user accounts, monitoring the ProfSvc service for anomalous hive loads, and tracking changes to NTUSER.DAT and UsrClass.dat files.
Given the nature of this vulnerability, it aligns with various tactics outlined in the MITRE ATT&CK framework, particularly those related to initial access, persistence, and privilege escalation. Business owners should recognize the implications of this vulnerability and take proactive steps to bolster their cybersecurity posture, ensuring they remain vigilant against evolving threats in the digital landscape.