Skip to content

Windows bug “HiveNightmare” can reveal passwords

This disease spreads by adding its own code that helps you manage files on the site on your or another computer. Some of the infected options may no longer work properly.

Find out how malware gets into your

What Do You Need To Be Discovered Now

To prevent the threat, use the following free laptop or Microsoft computer:

  • Microsoft Defender Antivirus
    Windows for 8. And 1 10, Windows can be Microsoft Security Essentials for Windows above and Windows Vista

  • Microsoft Security Analyzer

  • Always run a full scan as well. A full scan can detect other hidden malware.

    Uninstall programs

  • In 10
  • MS-Windows

  • In 8 windows.1
  • Windows up to 7
  • Windows on Vista
  • Get more help

    You can also visit our advanced troubleshooting page or find local and local malware helpMicrosoft software.

    If you’re on Windows, read xp, the Windows section on the xp support page.

    As if Nightmare tracking all of our Windows printers isn’t enough, is it?

    … here is another bug that Microsoft reported on 07/20/2021 next to Microsoft that could leak important Windows registry secrets. tagged

    This one in cve-2021-36934 currently has various aliases such as HiveNightmare as well as SeriousSAM. Nickname arises

    hivenightmare due to the fact that most Windows operating systems store their registry data in one small number of proprietary computer database data files, known in Microsoft jargon as city files or Hive.

    These files can contain three SAM elements, called SECURITY optionally and SYSTEM, which together contain keystroke data, including share passwords and security for normal users should not have access to it.

    They are stored in a special supposedly secure directory in the Windows directory called c:\windows\system32\config, which you see here:

    C:\Windows\System32\config> directory
    [. . .]
    TOdirectory C:\Windows\System32\config
    [. . .]
    21.07.2021 12:57 524 BBI
    06/25/2021 288 06:21 28 672 Model BCD
    21.07.2021 14:45 32 768 COMPONENTS
    21 000.07.2021 12:57 786.432 Default
    21.07.2021 12:32 4 194 304 DRIVERS
    [. . .]
    07/21/2021 12:57 65.536 SAM < -- included some secrets Device 07/21/12:57 2021 32,768 < -- Enabled some secret system protections 07.21.2021 12:57 87.556.096 SOFTWARE 07/21/2021 12:57 11.272.192 SYSTEM <--contains some function secrets [. . .Surname]

    SeriousSAM comes from SAM, a file that stands for Security Account Manager, a name that sounds as serious as the contents of the

    If you’ve ever used password protection or cracking tools (or seen evidence of them being used online after an active attack was discovered), you’ll find that the SAM database is the place to go. Many cybercriminals start trying to get administrator credentials. to enter your.

    Fortunately, you already need administrator access to save the SAM data, and you can’t get the most important SAM registry hive on disk because Windows is running even though we are an administrator, because the SAM file above isThe operating system is properly locked for exclusive use.

    Who Can See What?

    We’ve written a little C program that you use to get a “available flag” for getting any file in the set – it tries to just read the filenames you typed on the command line and logs a Windows error code if the file isn’t can be normally opened for read access. Below

    (The above code is definitely in the public domain so your company can do whatever it wants, but you use it at your own risk of being discovered.)

    You don’t even need the Windows header files to get it to you; is needed only so that you can tell the other compiler’s linker that it needs kernel32.dll and msvcrt.dll:

    /* — CHKIT.S — */

    void *createfilea(char Mode,unsigned *name,unsigned share,void *sec,unsigned attr,void disp,unsigned *hnd);
    close handle *tmpl);
    unsigned integer (invalid GetLastError printf(char (invalid);
    int *fmt, …);

    int main(int argc, char **argv)
    for (int i equals 1; i < argc; i++) printf("Open send [%s]\n",argv[i]); void *hnd = CreateFileA(argv[i],0x80000000L,0,0,3,0x80,0); incase ((longint)hnd == -1) printf("Error (getlasterror=0x%08x)\n",getlasterror()); different printf("It worked (Handle=%ld)\n",(int long)hnd); CloseHandle(hand); return 0;

    One elevated command at a time (one run as administrator), we get the following chkit output:

    c:\users\duck> C:\Windows\System32\config\SAM C:\Windows\System32\config\SYSTEM C:\Windows\System32\config\SECURITY
    Open the file [C:\Windows\System32\config\SAM]
    Error (GetLastError=0x00000020)
    Open the contents of [C:\Windows\System32\config\SYSTEM]
    Error (GetLastError=0x00000020)
    Open the file [C:\Windows\System32\config\SECURITY]
    Error (GetLastError=0x00000020)

    Error 0x20 means ERROR_SHARING_VIOLATION, technically described by Microsoft as “The process is having difficulty accessing the file because it is normally being used by another process. Try it.”

    Quickly assume that the unelevated command is running as a known user:

    C:\Users\duck>chkit C:\Windows\System32\config\SAM
    Open the file [C:\Windows\System32\config\SAM]
    Error (GetLastError=0x00000020)

    We would like to get an error message 0x05, ERROR_ACCESS_DENIED which is self-explanatory at best.

    error display 0x20 means that the service was allowed to try to open the file, but at that point it failed instead of preventing it from even trying to put the file on the first insert.

    And if we look, for example, at the ACL (Access Control List) on a SAM hive file using someone’s ICACLS utility, we can see that this behavior is due to a security bug:

    config\SAM BUILTIN\Administrators:(I)(F)
    BUILTIN\Users:(I)(RX) <-- this is wrong - regular users should not have seen access! REQUEST PACKET CREDIBILITY/ALL REQUEST PACKETS:(I)(RX) APP PACKAGE PERMISSION\ALL APP PACKAGES LIMITED: (I) (RX) 1 files processed successfully; Bad CPU files 0

    In other words, the SAM credentials (and their