Posts

Showing posts from 2021

#OMIGOD - CVE-2021-38647

Image
Hello All, In this blog post, we will explore the Unauthenticated Remote Code Execution vulnerability discovered by the WIZ team in Azure Open Management Infrastructure (OMI) application that was assigned a CVE ID - CVE-2021-38647. The blog post published by the WIZ team contains all the details that are required to exploit the vulnerability if a vulnerable instance is available. While reading the blog post, we thought of reproducing the scenario and create some quick PoC to exploit the vulnerability. We are releasing Proof of Concept (PoC) code in PowerShell & Python. The PoC code is published on the Github repo . About Azure Open Management Infrastructure (OMI) OMI is a UNIX/Linux application installed on the Azure UNIX/Linux VM that allows users to manage the machine & configuration remotely & locally. It is equivalent to Windows WMI that uses the Common Information Model (CIM). It runs with root privileges. The OMI application gets installed automatically when service...

Abusing Resource-Based Constrained Delegation (RBCD) using Linux

Image
Hello All, In this post we will discuss on how to perform Resource-Based Constrained Delegation (RBCD) attack from an Linux machine to be specific we will use Kali Linux as an attacker machine. RBCD attacks is already been explained in detailed by  Will Schroeder ,  Elad Shamir  &  Dirk-jan Mollema  in their blog posts.  What is Resource-Based Constrained Delegation (RBCD) ? In Windows Server 2012 Microsoft introduced a new type of delegation wherein the Service Administrators or Owner of the resources are allowed to configure which accounts are trusted to delegate to them. As per the Microsoft Docs this can also be configured across the domains.  This also shifts the decision of whether a server should trust the source of a delegated identity from the delegating-from domain administrator to the resource owner. Access is controlled by the security descriptor on the target resource instead of an list of SPN records. The security descriptor are stor...