Synopsis
User Group Policy Bypass
Tenable Research has discovered a vulnerability affecting several versions of Windows, including the latest Windows 10 version at time of disclosure: 10.18363 1909.
The vulnerability allows a non-Admin user to subvert User Group Policies applied to them from a Domain Administrator. By default, these policies are stored under a protected registry key at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies". If the user's profile is a non-mandatory profile, these protected policies can be bypassed or changed by replacing the entire registry hive. This can be done by dropping a new user registry hive (%USERPROFILE%\ntuser.man). Upon next logon, ProfSvc service (C:\Windows\System32\profsvc.dll) will load this ntuser.man registry hive instead of the default ntuser.dat, which can result in overridding any policies that may have been enforced under the ntuser.dat hive.
Denial of Service
Alternatively, this ntuser.man can cause a Denial of Service for user trying to login. If user drops an empty ntuser.man (or any non-reg hive format), ProfSvc will fail to load registry hive and prevent logon, requiring Safe Mode boot or other techniques to manually remove the offending ntuser.man file.
Proof of Concept
CAUTION — THE FOLLOWING STEPS CAN DAMAGE A WINDOWS ACCOUNT. We only recommend trying this in a test virtual machine.
1. On an entirely separate Windows 10 machine which you have Administrator access to, copy any user's registry hive from %USERPROFILE%\ntuser.dat file to a different folder. Note, you will need to make sure this user is not logged in so that you can actually copy the file.
2. With regedit.exe, load this copied registry hive by selecting HKEY_LOCAL_MACHINE key, and clicking File->Load Hive...
3. Under the newly loaded reg hive, clear any policies you may see under \Software\Microsoft\Windows\CurrentVersion\Policies.
4. At the root of the hive you loaded in regedit, change permissions to allow "Everyone" full control (read/write/etc) and propagate permissions for all subkeys.
5. Now copy this registry hive as "%USERPROFILE%\ntuser.man" on the machine which you are non-Admin for.
6. Disconnect from the network if you are connected to a Domain Controller.
7. Log off and Log back on. You may see a Windows welcoming screen, let this finish and now all User Group Policies have been overridden with what you have in ntuser.man.
Solution
There is no known solution or mitigation for this issue.Disclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Contact our sales team