Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Microsoft Windows User Group Policy Bypass

Medium
← View More Research Advisories

Synopsis

User Group Policy Bypass

Tenable Research has discovered a vulnerability affecting several versions of Windows, including the latest Windows 10 version at time of disclosure: 10.18363 1909.

The vulnerability allows a non-Admin user to subvert User Group Policies applied to them from a Domain Administrator. By default, these policies are stored under a protected registry key at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies". If the user's profile is a non-mandatory profile, these protected policies can be bypassed or changed by replacing the entire registry hive. This can be done by dropping a new user registry hive (%USERPROFILE%\ntuser.man). Upon next logon, ProfSvc service (C:\Windows\System32\profsvc.dll) will load this ntuser.man registry hive instead of the default ntuser.dat, which can result in overridding any policies that may have been enforced under the ntuser.dat hive.

Denial of Service

Alternatively, this ntuser.man can cause a Denial of Service for user trying to login. If user drops an empty ntuser.man (or any non-reg hive format), ProfSvc will fail to load registry hive and prevent logon, requiring Safe Mode boot or other techniques to manually remove the offending ntuser.man file.

Proof of Concept

CAUTION — THE FOLLOWING STEPS CAN DAMAGE A WINDOWS ACCOUNT. We only recommend trying this in a test virtual machine.

1. On an entirely separate Windows 10 machine which you have Administrator access to, copy any user's registry hive from %USERPROFILE%\ntuser.dat file to a different folder. Note, you will need to make sure this user is not logged in so that you can actually copy the file.

2. With regedit.exe, load this copied registry hive by selecting HKEY_LOCAL_MACHINE key, and clicking File->Load Hive...

3. Under the newly loaded reg hive, clear any policies you may see under \Software\Microsoft\Windows\CurrentVersion\Policies.

4. At the root of the hive you loaded in regedit, change permissions to allow "Everyone" full control (read/write/etc) and propagate permissions for all subkeys.

5. Now copy this registry hive as "%USERPROFILE%\ntuser.man" on the machine which you are non-Admin for. 

6. Disconnect from the network if you are connected to a Domain Controller.

7. Log off and Log back on. You may see a Windows welcoming screen, let this finish and now all User Group Policies have been overridden with what you have in ntuser.man.

Solution

There is no known solution or mitigation for this issue.

Disclosure Timeline

11/12/2019 - Tenable discloses vulnerability to [email protected]
11/12/2019 - Microsoft acknowledges report.
11/13/2019 - Microsoft opens case for issue and confirms engineers are reviewing report. Asks for one day extension for 90 day policy to align with patch release cycles.
11/13/2019 - Tenable responds that we willing to postpone public disclosure for vendor.
11/14/2019 - Microsoft acknowledges.
12/2/2019 - Tenable follows up, asking for any updates.
12/4/2019 - Microsoft asks for source code as they are having trouble finding source of the issue.
12/4/2019 - Tenable provides source code and explains root cause of issue.
12/17/2019 - Tenable asks Microsoft for status update
12/17/2019 - Microsoft has difficulty recreating issue with PoC, explains possible issues, asks for new PoC.
12/18/2019 - Tenable troubleshoots PoC issues, asks to schedule call for better troubleshooting.
12/19/2019 - Microsoft shared troubleshooting details with analyst and will follow up if they need to setup call.
01/06/2020 - Tenable asks Microsoft for status update.
01/07/2020 - Microsoft explains they only see Denial of Service occurring with PoC and not Group Policy bypass. Explain it currently does not meet severity bar for security update. Asks for details on Domain setup that Tenable tested.
01/10/2020 - Tenable recreates testing environment and confirms PoC works. Provides basic domain setup information to Microsoft. Tenable shares a rebuilt PoC.
01/13/2020 - Microsoft passes video/PoC to engineering team to try and reproduce. Asks for extension for disclosure date.
01/15/2019 - Tenable offers help if any trouble reproducing issue and will follow up later in the month regarding extension if necessary.
01/27/2020 - Tenable asks for update on reproducing bug.
01/29/2020 - Microsoft responds that they were able to fully replicate issue. Microsoft concludes it is not a bug and is expected behavior.
01/31/2020 - Tenable clarifies impact and why it should be treated as security issue.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Buy Now
Renew an existing license | Find a reseller
Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.