sam-file-access-control: SAM File Access Control Check

日期: 2025-08-01 | 影响软件: SAM File Access Control | POC: 已公开

漏洞描述

Ensure the SAM file (%SystemRoot%\system32\config\SAM) is secured so that only the Administrators and SYSTEM groups have full access.The presence of permissions for any other users or groups represents a potential security vulnerability.

PoC代码[已公开]

id: sam-file-access-control

info:
  name: SAM File Access Control Check
  author: nukunga[SungHyunJeon]
  severity: medium
  description: |
    Ensure the SAM file (%SystemRoot%\system32\config\SAM) is secured so that only the Administrators and SYSTEM groups have full access.The presence of permissions for any other users or groups represents a potential security vulnerability.
  impact: |
    If users or groups besides Administrators and SYSTEM have access to the SAM file, attackers could exploit this to obtain sensitive password data, raising the risk of password-based attacks.
  remediation: |
    Revoke any permissions assigned to users or groups other than Administrators and SYSTEM by:
    - Running the command: > cacls %systemroot%\system32\config\SAM /remove:g [UserOrGroup]
    - Or by adjusting the permissions through File Explorer.
  reference:
    - https://isms.kisa.or.kr/main/csap/notice/?boardId=bbs_0000000000000004&mode=view&cntId=85
  tags: sam,account-management,code,windows-audit,kisa

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      $samPath = "$env:SystemRoot\system32\config\SAM"
      if (-Not (Test-Path $samPath)) {
          "SAM_FILE_NOT_FOUND"
          exit
      }
      # Retrieve the ACL for the SAM file
      $acl = Get-Acl $samPath
      # Define allowed identities (variations may exist)
      $allowed = @("BUILTIN\Administrators", "Administrators", "NT AUTHORITY\SYSTEM", "SYSTEM")
      $vulnerable = $false
      foreach ($ace in $acl.Access) {
          $account = $ace.IdentityReference.ToString()
          if ($allowed -notcontains $account) {
              $vulnerable = $true
              break
          }
      }
      if ($vulnerable) {
          "SAM_ACCESS_VULNERABLE"
      } else {
          "SAM_ACCESS_COMPLIANT"
      }

    matchers:
      - type: word
        words:
          - "SAM_ACCESS_VULNERABLE"
# digest: 490a00463044022040dec32d4771631e7b3d39511a48983e2fadad35eb9c1c0ddd873fbdf3d204ab02203870f2731378bab592f0218f083a88ca737324ef53a99f9a182488e58c645970:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./code/windows/audit/kisa/sam-file-access-control.yaml