Last week we published a post about a security design flaw we discovered in the Azure Guest Agent. An attacker can take advantage of this flaw to fetch the machine’s Administrator credentials in plaintext mode. We also released an open source diagnostic tool (binary here) that reports on any exposed plaintext credentials.

The flaw originated in one of the Azure Guest Agent plugins, the VM Access plugin. This plugin is a cross platform tool that allows administrators to reset any VM’s administrator password. However, after reset, the password remains on disk and is accessible to attackers who managed to compromise the machine.

As this security flaw still exists and puts Azure environments at risk, we believe it’s important to continuously verify whether your environment is vulnerable. To do that we integrated Azure password harvesting capabilities into the Infection Monkey.

How an Enterprise can be affected

We reported this issue to Microsoft approx. six months ago, together with two other vulnerabilities which they fixed, privilege escalation and Azure Guest Agent DOS which we will explore in the coming posts. “The technique described is not a security vulnerability and requires administrator privileges…” Microsoft said in a statement provided to Dark ReadingFor an attacker to gain Administrator privileges on a Windows machine is not that big of a deal. Many vulnerable services and applications already run using high privileges; it is common for  users to work with Administrator privileges on their machine and privilege escalation techniques are fixed by Microsoft from time to time.

Azure post infection monkey

Elevation of privileges vulnerabilities in Windows Server 2012 R2 fixed in the last six months

Holding an Administrator’s plaintext password is extremely powerful. First, it allows the attacker to try these credentials over different environments. For example, when stealing a password hash from a Windows machine the hash cannot be reused as is against services that don’t support Microsoft authentication protocols. With a plaintext password this restriction doesn’t exist. Second, a plaintext password can be easily manipulated. For example, if the stolen machine’s password is “AzureForTheWin1”, the attacker might follow this pattern and login (successfully) to the Azure portal using “AzureForTheWin!” as a password. Trying different variations can only exist with plaintext; with hash it would never be possible.

For these reasons, Microsoft has been working hard on credential security in recent versions of Windows, specifically on isolating secrets (with Windows Defender Credential Guard) such as NTLM password hashes, Kerberos Ticket Granting Tickets and domain credentials. Since Windows 8.1 and Windows Server 2012, the operating system has not kept plaintext passwords at all. Tools, such as the popular Mimikatz, steal these secrets by dumping the lsass (Local Security Authority Subsystem Service) process memory and – similarly to our flaw here – require high privileges.

Verifying you’re safe >> The Infection Monkey

Azure password infection monkey post

As part of the Infection Monkey’s credential stealing drill, the Monkey is programmed to identify whether it runs on an Azure machine and then check for configuration files belonging to the Azure VM Access plugin. Using built in OS provided tools, the Monkey extracts the username and passwords stored in the configuration file.

The Infection Monkey will then try to use the credentials it was able to extract to propagate across the network. The Infection Monkey security report will notify the user about any machine that stores recoverable plaintext credentials on its VM disk:

azure password infection monkey post

The Infection Monkey’s security report will warn you of machines with recoverable credentials on disk

This password harvesting capability along with Mimikatz which was already used by the Infection Monkey, help us expose bad credentials hygiene that attackers will surely take advantage of once your network is breached.

Summary

The Azure VM Plugins are powerful tools as they allow administrators to granularly configure and control cloud machines. These plugins however may have not received the same amount of attention as other parts in the Azure ecosystem. All of Microsoft’s latest defenses-in-depth techniques won’t help  if the administrator has at some point used this Azure plugin. Allowing an attacker to recover a plaintext administrator password is no longer acceptable in 2018 and we’re pretty sure it wouldn’t be accepted by the Microsoft Windows team today.

0 comments

Leave a Comment

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *