this post was submitted on 15 Jan 2024
50 points (96.3% liked)

Cybersecurity

5984 readers
32 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected]

Notable mention to [email protected]

founded 2 years ago
MODERATORS
 

Hello!

I've recently stumbled upon an amazing blog about getting credentials from Bitwarden vault through DPAPI and Windows Credential Storage, and what suprised me is that any low-privileged process can just ask for all information in Credential Storage, without requiring any user input (the article discusses it in the second half, even though the first half is about abusing DA credentials), through the CredEnumerateW WinApi call.

Since that vector was pretty interresting, I tried running their PoC for listing the cred storage on my, and several colleague machines, and was surprised that every machine had domain account credentials listed in plaintext, that could be grabbed by any low-privileged process just by calling this WinAPI.

I suspected that it's because of Outlook or Teams, because I found articles from few years ago mentioning that they do get saved there. However, one colleague did not have his credentials there, even though he was using Teams and Outlook, and had his password saved.

So, how did that password get there? Why most people we tried the PoC with do have a domain password saved, but some do not? Or is it because of Windows Hello? I'd love to get some kind of solution/recommendation about how to avoid having your password, in plaintext, in such an insecure space. Or was I dumb enough to save it into Edge somwhere, and have promptly forgotten about it?

And more importantly - how this isn't a pretty severe vulnerability, and is considered "as designed" by Microsoft? The fact that any process can just ask for your credentials is mind-blowing, plus it isn't even detected by EDRs we've tried it with when discussing it with our SoC.

top 9 comments
sorted by: hot top controversial new old
[–] [email protected] 6 points 1 year ago

You could remove or change it and see what breaks.

[–] [email protected] 6 points 1 year ago (1 children)

Domain credentials are locally cached so you are able to log into a machine even if a DC is unavailable.

[–] [email protected] 3 points 1 year ago (1 children)

Yup, it was a huge pain in the ass when my password expired and I had to figure out which of the 50 servers I logged into over the past month had it cached and would lock me out constantly.

It was such an issue that I even wrote software to figure it out for me.

[–] [email protected] 3 points 1 year ago (1 children)

Time to join the dark side.

You don't need Windows. You don't need this job. No one will ever force the Windows upon you *handwave*

[–] [email protected] 3 points 1 year ago

That was my old job. Now I only use windows to manage an aws directory service occasionally. Everything else is RHEL.

[–] [email protected] 2 points 1 year ago (1 children)

probably you tried authenticate a network share connection with your password and clicked option to remem ber it?

[–] [email protected] 2 points 1 year ago (1 children)

Hmm, I think all of our shares are using domain accounts, which should authenticate automatically without requiring to enter credentials, as long as you are logged in for a account that has access AFAIK. I don't remember logging in to any share, so I think that's not it.

[–] [email protected] 2 points 1 year ago

Except this doesn't work as faultless as you expect. If your DC is not reachable for some reason when you log in, you'll have to authenticate afterwards to actually access the share. (If the share even loaded properly because this tends to happen in the login phase).

This not to say there are no security risks to what is happening, but this situation is much, much more common than you think. And having to authenticate again at that point is actually more secure than just assuming you have access because your username exists or you authenticated against cached credentials.

[–] crazyCat 2 points 1 year ago

I don’t know but sounds troubling, good find.