Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Microsoft Windows User Group Policy Bypass

Medium

Synopsis

User Group Policy Bypass

Tenable Research has discovered a vulnerability affecting several versions of Windows, including the latest Windows 10 version at time of disclosure: 10.18363 1909.

The vulnerability allows a non-Admin user to subvert User Group Policies applied to them from a Domain Administrator. By default, these policies are stored under a protected registry key at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies". If the user's profile is a non-mandatory profile, these protected policies can be bypassed or changed by replacing the entire registry hive. This can be done by dropping a new user registry hive (%USERPROFILE%\ntuser.man). Upon next logon, ProfSvc service (C:\Windows\System32\profsvc.dll) will load this ntuser.man registry hive instead of the default ntuser.dat, which can result in overridding any policies that may have been enforced under the ntuser.dat hive.

Denial of Service

Alternatively, this ntuser.man can cause a Denial of Service for user trying to login. If user drops an empty ntuser.man (or any non-reg hive format), ProfSvc will fail to load registry hive and prevent logon, requiring Safe Mode boot or other techniques to manually remove the offending ntuser.man file.

Proof of Concept

CAUTION — THE FOLLOWING STEPS CAN DAMAGE A WINDOWS ACCOUNT. We only recommend trying this in a test virtual machine.

1. On an entirely separate Windows 10 machine which you have Administrator access to, copy any user's registry hive from %USERPROFILE%\ntuser.dat file to a different folder. Note, you will need to make sure this user is not logged in so that you can actually copy the file.

2. With regedit.exe, load this copied registry hive by selecting HKEY_LOCAL_MACHINE key, and clicking File->Load Hive...

3. Under the newly loaded reg hive, clear any policies you may see under \Software\Microsoft\Windows\CurrentVersion\Policies.

4. At the root of the hive you loaded in regedit, change permissions to allow "Everyone" full control (read/write/etc) and propagate permissions for all subkeys.

5. Now copy this registry hive as "%USERPROFILE%\ntuser.man" on the machine which you are non-Admin for. 

6. Disconnect from the network if you are connected to a Domain Controller.

7. Log off and Log back on. You may see a Windows welcoming screen, let this finish and now all User Group Policies have been overridden with what you have in ntuser.man.

Solution

There is no known solution or mitigation for this issue.

Disclosure Timeline

11/12/2019 - Tenable discloses vulnerability to [email protected].
11/12/2019 - Microsoft acknowledges report.
11/13/2019 - Microsoft opens case for issue and confirms engineers are reviewing report. Asks for one day extension for 90 day policy to align with patch release cycles.
11/13/2019 - Tenable responds that we willing to postpone public disclosure for vendor.
11/14/2019 - Microsoft acknowledges.
12/2/2019 - Tenable follows up, asking for any updates.
12/4/2019 - Microsoft asks for source code as they are having trouble finding source of the issue.
12/4/2019 - Tenable provides source code and explains root cause of issue.
12/17/2019 - Tenable asks Microsoft for status update
12/17/2019 - Microsoft has difficulty recreating issue with PoC, explains possible issues, asks for new PoC.
12/18/2019 - Tenable troubleshoots PoC issues, asks to schedule call for better troubleshooting.
12/19/2019 - Microsoft shared troubleshooting details with analyst and will follow up if they need to setup call.
01/06/2020 - Tenable asks Microsoft for status update.
01/07/2020 - Microsoft explains they only see Denial of Service occurring with PoC and not Group Policy bypass. Explain it currently does not meet severity bar for security update. Asks for details on Domain setup that Tenable tested.
01/10/2020 - Tenable recreates testing environment and confirms PoC works. Provides basic domain setup information to Microsoft. Tenable shares a rebuilt PoC.
01/13/2020 - Microsoft passes video/PoC to engineering team to try and reproduce. Asks for extension for disclosure date.
01/15/2019 - Tenable offers help if any trouble reproducing issue and will follow up later in the month regarding extension if necessary.
01/27/2020 - Tenable asks for update on reproducing bug.
01/29/2020 - Microsoft responds that they were able to fully replicate issue. Microsoft concludes it is not a bug and is expected behavior.
01/31/2020 - Tenable clarifies impact and why it should be treated as security issue.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID: TRA-2020-08
Credit:
David Wells
CVSSv2 Base / Temporal Score:
4.5
CVSSv2 Vector:
AV:L/AC:L/Au:S/C:N/I:P/A:C
Affected Products:
Windows 10 versions up to and including 10.18363 version 1903
Risk Factor:
Medium

Advisory Timeline

02/10/2020 - Initial Release