How Windows & Linux Privilege‑Escalation Bugs Let Attackers Hijack Your System

Neither open‑source nor closed‑source operating systems are absolutely secure; recent research shows critical privilege‑escalation flaws in both Windows and Linux that can be exploited by attackers.

Windows "Compromised"?

On July 20, security researcher Jonas Lykkegaard posted on Twitter that a Windows 11 user could read the SAM (Security Account Manager) file via shadow volumes, effectively exposing password hashes.

The SAM file stores hashed credentials; if any non‑admin user can access it, they can extract passwords and obtain a "master key" to the system, elevate to SYSTEM privileges, or create new high‑privilege accounts. The issue also appears in the latest Windows 10 builds.

US‑CERT confirmed that since Windows 10 build 1809, non‑admin users have been granted read access to the SAM, SYSTEM, and SECURITY registry hives due to overly permissive ACLs, and the vulnerability is exposed through the Volume Shadow Copy Service (VSS).

This misconfiguration allows attackers to:

Extract and use password hashes.

Discover the original Windows installation password.

Obtain DPAPI computer passwords to decrypt private keys.

Perform "silver ticket" attacks using a compromised machine account.

To check for vulnerable VSS snapshots, run: vssadmin list shadows Microsoft has assigned CVE‑2021‑36934 to this flaw and rates it as potentially exploitable. Until a permanent patch is released, two temporary mitigations are recommended:

1. Restrict access to %windir%\system32\config by enabling ACL inheritance:

icacls %windir%\system32\config\*.* /inheritance:e

After correcting the ACLs, delete any existing VSS snapshots to prevent abuse: vssadmin delete shadows /for=c: /Quiet Verify removal with vssadmin list shadows. Note that features relying on VSS, such as System Restore, will no longer work until new snapshots are created with correct ACLs.

2. Disable the VSS service entirely.

More details are available on Microsoft’s security advisory page.

Linux Is Not Safe Either

Researchers also discovered a size‑t‑to‑int conversion flaw in the Linux kernel filesystem (CVE‑2021‑33909, dubbed “Sequoia”), which allows any non‑admin user to gain root privileges.

The vulnerability affects kernels released after 2014 and is present in default installations of Ubuntu 20.04/20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation, among others.

Mitigation steps include setting kernel parameters to disable unprivileged namespace creation and eBPF loading:

echo 0 > /proc/sys/kernel/unprivileged_userns_clone

echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled

Users should avoid installing untrusted software and keep their systems up‑to‑date until official patches are released.

References:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934

https://www.theregister.com/2021/07/21/windows_linux_privilege_escalation/

https://arstechnica.com/gadgets/2021/07/separate-eop-flaws-let-hackers-gain-full-control-of-windows-and-linux-systems/