Last week we published a post about a security design flaw we discovered in the Azure Guest Agent. An attacker can take advantage of this flaw to fetch the machine’s Administrator credentials in plaintext mode. We also released an open source diagnostic tool (binary here) that reports on any exposed plaintext credentials.

The flaw originated in one of the Azure Guest Agent plugins, the VM Access plugin. This plugin is a cross platform tool that allows administrators to reset any VM’s administrator password. However, after reset, the password remains on disk and is accessible to attackers who managed to compromise the machine.

As this security flaw still exists and puts Azure environments at risk, we believe it’s important to continuously verify whether your environment is vulnerable. To do that we integrated Azure password harvesting capabilities into the Infection Monkey.

How an Enterprise can be affected

We reported this issue to Microsoft approx. six months ago, together with two other vulnerabilities which they fixed, privilege escalation and Azure Guest Agent DOS which we will explore in the coming posts. “The technique described is not a security vulnerability and requires administrator privileges…” Microsoft said in a statement provided to Dark Reading. For an attacker to gain Administrator privileges on a Windows machine is not that big of a deal. Many vulnerable services and applications already run using high privileges; it is common for users to work with Administrator privileges on their machine and privilege escalation techniques are fixed by Microsoft from time to time.