Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Microsoft Windows User Group Policy Bypass

Medium

Synopsis

User Group Policy Bypass

Tenable Research has discovered a vulnerability affecting several versions of Windows, including the latest Windows 10 version at time of disclosure: 10.18363 1909.

The vulnerability allows a non-Admin user to subvert User Group Policies applied to them from a Domain Administrator. By default, these policies are stored under a protected registry key at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies". If the user's profile is a non-mandatory profile, these protected policies can be bypassed or changed by replacing the entire registry hive. This can be done by dropping a new user registry hive (%USERPROFILE%\ntuser.man). Upon next logon, ProfSvc service (C:\Windows\System32\profsvc.dll) will load this ntuser.man registry hive instead of the default ntuser.dat, which can result in overridding any policies that may have been enforced under the ntuser.dat hive.

Denial of Service

Alternatively, this ntuser.man can cause a Denial of Service for user trying to login. If user drops an empty ntuser.man (or any non-reg hive format), ProfSvc will fail to load registry hive and prevent logon, requiring Safe Mode boot or other techniques to manually remove the offending ntuser.man file.

Proof of Concept

CAUTION — THE FOLLOWING STEPS CAN DAMAGE A WINDOWS ACCOUNT. We only recommend trying this in a test virtual machine.

1. On an entirely separate Windows 10 machine which you have Administrator access to, copy any user's registry hive from %USERPROFILE%\ntuser.dat file to a different folder. Note, you will need to make sure this user is not logged in so that you can actually copy the file.

2. With regedit.exe, load this copied registry hive by selecting HKEY_LOCAL_MACHINE key, and clicking File->Load Hive...

3. Under the newly loaded reg hive, clear any policies you may see under \Software\Microsoft\Windows\CurrentVersion\Policies.

4. At the root of the hive you loaded in regedit, change permissions to allow "Everyone" full control (read/write/etc) and propagate permissions for all subkeys.

5. Now copy this registry hive as "%USERPROFILE%\ntuser.man" on the machine which you are non-Admin for. 

6. Disconnect from the network if you are connected to a Domain Controller.

7. Log off and Log back on. You may see a Windows welcoming screen, let this finish and now all User Group Policies have been overridden with what you have in ntuser.man.

Solution

There is no known solution or mitigation for this issue.

Disclosure Timeline

11/12/2019 - Tenable discloses vulnerability to [email protected].
11/12/2019 - Microsoft acknowledges report.
11/13/2019 - Microsoft opens case for issue and confirms engineers are reviewing report. Asks for one day extension for 90 day policy to align with patch release cycles.
11/13/2019 - Tenable responds that we willing to postpone public disclosure for vendor.
11/14/2019 - Microsoft acknowledges.
12/2/2019 - Tenable follows up, asking for any updates.
12/4/2019 - Microsoft asks for source code as they are having trouble finding source of the issue.
12/4/2019 - Tenable provides source code and explains root cause of issue.
12/17/2019 - Tenable asks Microsoft for status update
12/17/2019 - Microsoft has difficulty recreating issue with PoC, explains possible issues, asks for new PoC.
12/18/2019 - Tenable troubleshoots PoC issues, asks to schedule call for better troubleshooting.
12/19/2019 - Microsoft shared troubleshooting details with analyst and will follow up if they need to setup call.
01/06/2020 - Tenable asks Microsoft for status update.
01/07/2020 - Microsoft explains they only see Denial of Service occurring with PoC and not Group Policy bypass. Explain it currently does not meet severity bar for security update. Asks for details on Domain setup that Tenable tested.
01/10/2020 - Tenable recreates testing environment and confirms PoC works. Provides basic domain setup information to Microsoft. Tenable shares a rebuilt PoC.
01/13/2020 - Microsoft passes video/PoC to engineering team to try and reproduce. Asks for extension for disclosure date.
01/15/2019 - Tenable offers help if any trouble reproducing issue and will follow up later in the month regarding extension if necessary.
01/27/2020 - Tenable asks for update on reproducing bug.
01/29/2020 - Microsoft responds that they were able to fully replicate issue. Microsoft concludes it is not a bug and is expected behavior.
01/31/2020 - Tenable clarifies impact and why it should be treated as security issue.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID: TRA-2020-08
Credit:
David Wells
CVSSv2 Base / Temporal Score:
4.5
CVSSv2 Vector:
AV:L/AC:L/Au:S/C:N/I:P/A:C
Affected Products:
Windows 10 versions up to and including 10.18363 version 1903
Risk Factor:
Medium

Advisory Timeline

02/10/2020 - Initial Release

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training