SAM File Access Control Vulnerability

漏洞信息

漏洞名称： SAM File Access Control Vulnerability

漏洞类型： 权限绕过

漏洞等级： 中危

漏洞描述： 该漏洞涉及Windows操作系统中的SAM（Security Accounts Manager）文件访问控制问题。SAM文件存储了本地用户的密码哈希，是Windows安全账户管理的关键组件。正常情况下，只有Administrators和SYSTEM组应具有对该文件的完全访问权限。如果其他用户或组也被授予了访问权限，这将构成一个潜在的安全漏洞。

漏洞的技术根源在于不当的访问控制列表（ACL）配置，允许非授权用户或组访问SAM文件。这种配置错误可能是由于系统管理员的疏忽或恶意软件的操作导致的。攻击者可以利用此漏洞读取SAM文件中的敏感密码哈希，进而进行离线破解或传递哈希攻击，从而提升权限或获取系统控制权。

此漏洞的影响程度为中等，因为它需要攻击者首先获得一定的系统访问权限才能利用。然而，一旦利用成功，攻击者可以获取系统的高权限凭证，可能导致整个系统的安全受到威胁。此外，这种漏洞的利用不需要用户交互，可以自动化执行，增加了其潜在的危险性。因此，建议系统管理员定期检查SAM文件的访问权限，确保只有授权的用户和组才能访问。

产品厂商： Microsoft

产品名称： Windows SAM File

来源： https://github.com/projectdiscovery/nuclei-templates/blob/b740ee6791c0a6d36cac233d23a096ba91d2f060/code%2Fwindows%2Faudit%2Fkisa%2Fsam-file-access-control.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: sam-file-access-control

info:
  name: SAM File Access Control Check
  author: nukunga[SungHyunJeon]
  severity: medium
  description: |
    Ensure the SAM file (%SystemRoot%\system32\config\SAM) is secured so that only the Administrators and SYSTEM groups have full access.The presence of permissions for any other users or groups represents a potential security vulnerability.
  impact: |
    If users or groups besides Administrators and SYSTEM have access to the SAM file, attackers could exploit this to obtain sensitive password data, raising the risk of password-based attacks.
  remediation: |
    Revoke any permissions assigned to users or groups other than Administrators and SYSTEM by:
    - Running the command: > cacls %systemroot%\system32\config\SAM /remove:g [UserOrGroup]
    - Or by adjusting the permissions through File Explorer.
  reference:
    - https://isms.kisa.or.kr/main/csap/notice/?boardId=bbs_0000000000000004&mode=view&cntId=85
  tags: sam,account-management,code,windows-audit,kisa

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      $samPath = "$env:SystemRoot\system32\config\SAM"
      if (-Not (Test-Path $samPath)) {
          "SAM_FILE_NOT_FOUND"
          exit
      }
      # Retrieve the ACL for the SAM file
      $acl = Get-Acl $samPath
      # Define allowed identities (variations may exist)
      $allowed = @("BUILTIN\Administrators", "Administrators", "NT AUTHORITY\SYSTEM", "SYSTEM")
      $vulnerable = $false
      foreach ($ace in $acl.Access) {
          $account = $ace.IdentityReference.ToString()
          if ($allowed -notcontains $account) {
              $vulnerable = $true
              break
          }
      }
      if ($vulnerable) {
          "SAM_ACCESS_VULNERABLE"
      } else {
          "SAM_ACCESS_COMPLIANT"
      }

    matchers:
      - type: word
        words:
          - "SAM_ACCESS_VULNERABLE"