Last week we published a post about a security design flaw we discovered in the Azure Guest Agent. An attacker can take advantage of this flaw to fetch the machine’s Administrator credentials in plaintext mode. We also released an open source diagnostic tool (binary here) that reports on any exposed plaintext credentials.
The flaw originated in one of the Azure Guest Agent plugins, the VM Access plugin. This plugin is a cross platform tool that allows administrators to reset any VM’s administrator password. However, after reset, the password remains on disk and is accessible to attackers who managed to compromise the machine.
As this security flaw still exists and puts Azure environments at risk, we believe it’s important to continuously verify whether your environment is vulnerable. To do that we integrated Azure password harvesting capabilities into the Infection Monkey.
How an Enterprise can be affected
We reported this issue to Microsoft approx. six months ago, together with two other vulnerabilities which they fixed, privilege escalation and Azure Guest Agent DOS which we will explore in the coming posts. “The technique described is not a security vulnerability and requires administrator privileges…” Microsoft said in a statement provided to Dark Reading. For an attacker to gain Administrator privileges on a Windows machine is not that big of a deal. Many vulnerable services and applications already run using high privileges; it is common for users to work with Administrator privileges on their machine and privilege escalation techniques are fixed by Microsoft from time to time.
Elevation of privileges vulnerabilities in Windows Server 2012 R2 fixed in the last six months
Holding an Administrator’s plaintext password is extremely powerful. First, it allows the attacker to try these credentials over different environments. For example, when stealing a password hash from a Windows machine the hash cannot be reused as is against services that don’t support Microsoft authentication protocols. With a plaintext password this restriction doesn’t exist. Second, a plaintext password can be easily manipulated. For example, if the stolen machine’s password is “AzureForTheWin1”, the attacker might follow this pattern and login (successfully) to the Azure portal using “AzureForTheWin!” as a password. Trying different variations can only exist with plaintext; with hash it would never be possible.
For these reasons, Microsoft has been working hard on credential security in recent versions of Windows, specifically on isolating secrets (with Windows Defender Credential Guard) such as NTLM password hashes, Kerberos Ticket Granting Tickets and domain credentials. Since Windows 8.1 and Windows Server 2012, the operating system has not kept plaintext passwords at all. Tools, such as the popular Mimikatz, steal these secrets by dumping the lsass (Local Security Authority Subsystem Service) process memory and – similarly to our flaw here – require high privileges.
Verifying you’re safe >> The Infection Monkey
As part of the Infection Monkey’s credential stealing drill, the Monkey is programmed to identify whether it runs on an Azure machine and then check for configuration files belonging to the Azure VM Access plugin. Using built in OS provided tools, the Monkey extracts the username and passwords stored in the configuration file.
The Infection Monkey will then try to use the credentials it was able to extract to propagate across the network. The Infection Monkey security report will notify the user about any machine that stores recoverable plaintext credentials on its VM disk:
The Infection Monkey’s security report will warn you of machines with recoverable credentials on disk
This password harvesting capability along with Mimikatz which was already used by the Infection Monkey, help us expose bad credentials hygiene that attackers will surely take advantage of once your network is breached.
The Azure VM Plugins are powerful tools as they allow administrators to granularly configure and control cloud machines. These plugins however may have not received the same amount of attention as other parts in the Azure ecosystem. All of Microsoft’s latest defenses-in-depth techniques won’t help if the administrator has at some point used this Azure plugin. Allowing an attacker to recover a plaintext administrator password is no longer acceptable in 2018 and we’re pretty sure it wouldn’t be accepted by the Microsoft Windows team today.