Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-36934 PoC — Windows Elevation of Privilege Vulnerability

Source
https://github.com/irissentinel/CVE-2021-36934
Associated Vulnerability
Title:Windows Elevation of Privilege Vulnerability (CVE-2021-36934)
Description:<p>An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.</p> <p>An attacker must have the ability to execute code on a victim system to exploit this vulnerability.</p> <p>After installing this security update, you <em>must</em> manually delete all shadow copies of system files, including the SAM database, to fully mitigate this vulnerabilty. <strong>Simply installing this security update will not fully mitigate this vulnerability.</strong> See <a href="https://support.microsoft.com/topic/1ceaa637-aaa3-4b58-a48b-baf72a2fa9e7">KB5005357- Delete Volume Shadow Copies</a>.</p>
Description
CVE-2021-36934 HiveNightmare vulnerability checker and workaround
Readme
# CVE-2021-36934
CVE-2021-36934 HiveNightmare vulnerability checker and workaround

### Flow

The script has the following flow:

- Requires it to run with Administrator privileges
- Check Windows 10 version is affected by the vulnerability.
  - IF affected by vulnerability:
    - Show Windows version may be affected by the vulnerability message
    - Check if the hive system files permissions are accessible by BUILTIN\Users
      - IF it is vulnerable:
        - Apply the workaround proposed by Microsoft https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934
        - Check for Shadow Volume Copies
          - IF it exist:
            - Show the message: There are vulnerable shadow copies on the system
            - Delete existing shadow volume copies and show the message: Shadow copies have been removed
            - A new restore point is created with the name "Restorepoint for CVE-2021-36934 HiveNightmare" and show the message: A new restore point has been created
          - If it does NOT exist:
            - Show the message: No shadow copies found
            - Show the message: System is not vulnerable
      - If NOT vulnerable:
        - Show the message: No vulnerable hive system files found
        - Show the message: System is not vulnerable
  - If NOT affected by vulnerability:
    - Show the message: Operating System is not vulnerable

### Considerations

- Once the script to fix the vulnerability has been run, it can be run again to see if it has been fixed.
- Workaround will apply only to affected systems.
- The script works correctly with any language setting
- Some EDR systems may detect this script as suspicious behavior and stop its execution, due to the shadow volume being deleted. It is recommended to add as an exception.

### Outputs

If it is vulnerable and it has been fixed, we will get the following result: 

![HiveNightmare System is vulnerable](https://i.imgur.com/N3HQSKG.png)


If it is not vulnerable, we will get the following result:
![HiveNightmare System is not vulnerable](https://i.imgur.com/IrRwyzQ.png)
File Snapshot

 [4.0K]  /data/pocs/e54c3fbed3ba9164c6d3cb138b65533083e14086
├── [3.5K]  hivenightmare.ps1
├── [ 34K]  LICENSE
└── [2.0K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →