What happens when Microsoft accidentally gives BUILTIN\Users the ability to read the Windows 10 SAM:
Mimikatz lsadump::sam as a non-admin user, for example.
Some installs off of very-recent ISO builds are not vulnerable. But assume you are vulnerable until you prove otherwise. Image
What makes things tricky here is now where you are, but how you got there. e.g.
Windows 10 20H2 RTM install: VULNERABLE
Windows 10 20H2 RTM install + Windows Update: VULNERABLE
20H2 November install - NOT VULNERABLE
Do you remember which install media you used to get Windows 10? ImageImageImage
But wait... 21H1 came out after 20H2 November update, right?
Both the 21H1 RTM install and the 21H1 June-update install are both vulnerable.
There may be some non-vulnerable Win10 installs out there, but I fail to find logic behind it.
Maybe it's accidentally fixed in some cases? ImageImage
I don't predict myself making a flowchart to give you an answer to whether or not you're vulnerable, as there seem to be too many variables.
Just check for yourself to be sure!
I've published VU#506989 on this issue:

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Will Dormann

Will Dormann Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @wdormann

7 Jul
Microsoft had a call for #PrintNightmare where they repeatedly said "Disable Point and Print"
without actually saying how one would do so.
I cannot find evidence that "Point and Print" itself is a thing that can be disabled.
MS seems to really want someone to hold their beer!
Is "Disable Point and Print" a thing that people can do? And if so, how?
Otherwise, I'll attribute this all to an unfortunate game of telephone.
More along the lines of Microsoft confusion:
"NoWarningNoElevationOnUpdate" isn't a term that existed until Microsoft published their CVE-2021-34527 advisory on July 6.
The registry value actually associated with updating drivers is called UpdatePromptSettings
Read 7 tweets
30 Jun
This is very important!

If you have the "Print Spooler" service enabled (which is the default), any remote authenticated user can execute code as SYSTEM on the domain controller.

Stop and Disable the service on any DC now!
Log entries in Microsoft-Windows-PrintService/Admin might be a good place to look for evidence of exploitation.
Here, despite the "failed to load" error, is what was generated when I loaded main64.dll off of a remote SMB share using this exploit.
Note that looking for this will only find lazy attackers. The only reason that I saw this in my initial test is because the main64.dll that I used made no attempt to look like what the print spooler is looking for.
If the attacker loads a sane-looking DLL, no error is logged.
Read 6 tweets
10 Jan 20
Now that Twitter has changed how it handles uploaded images, this unexpected behavior is perhaps more important now than before.
Your challenge: Tell me what I've redacted from this image.
(Anybody I've talked to about this so far is ineligible to play)
It can be done w/o tools.
Several apps (e.g. @GIMP_Official, @Apple Preview) do not actually delete content from images with an alpha channel. They simply create an alpha-channel tunnel through the content you think that you're removing.
You may think you've removed content, but it's just hidden.
If you remove the alpha channel, you now can see what's behind it. You can do this with ImageMagick, e.g.
convert input.png -alpha off output.png
You now have an image that doesn't have the alpha channel, so therefore is unredacted.
But it's actually even easier than this!
Read 9 tweets
10 Jan 20
The cat's pretty much out of the bag on how to exploit this. Expect widespread exploitation attempts for CVE-2019-19781 at this point.
Despite being almost a month old, there is NO PATCH from @citrix at this point. Only a (very important) mitigation.
kb.cert.org/vuls/id/619785/ Image
@citrix You don't need to run a working exploit to know if a system is vulnerable or not, though. Simply visit:
in your web browser or script or whatever.
If you get a file, the system is vulnerable.
If you get a 403, it has had mitigations applied.
@citrix Also, FreeBSD 8.4 was EOL'd years ago. And even FreeBSD v. current doesn't even have ASLR enabled (not that it'd matter in this particular case).

And this is something you're exposing directly to the Internet?

Read 4 tweets
9 Jul 19
@johannh Let's be quite clear here:
Zoom intentionally created a vulnerability to work around a security improvement in Safari. This was done to save the user a single click.
@johannh Also note that because Zoom decided that requiring a single click from the user is unacceptable, the vulnerability that they chose to create as a workaround also means that receiving a simple email can result in your camera and microphone being turned on. Neat.
@johannh And on the Windows side of things, both Internet Explorer and Edge also launch Zoom without prompting (albeit not apparently via a process listening on localhost). Chrome and Firefox behave sanely in that the user is prompted before a 3rd-party application is launched.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!