Synopsis:
Unprotected administrative access to Challenge-Response shared key can lead to Privilege Escalation.
Impacted Product:
Privilege Management for Windows (PMfW)
Summary:
A medium severity vulnerability was discovered and verified in BeyondTrust’s Privilege Management for Windows (PMfW) where under certain configuration scenarios and with administrative privileges an attacker can generate challenge codes leading to local elevation of privileges.
The Challenge Response feature of the Privilege Management for Windows (PMfW) product utilizes a shared key, unique to a configuration, which is distributed to endpoints for subsequent offline verification of response codes. This shared key is encrypted before being included in the configuration file.
With administrative privileges to a local machine and enhanced protections not configured, it is possible to reverse engineer the algorithm used to generate response codes and either, decrypt the shared key in the configuration file, or obtain the shared key via direct memory access techniques. With access to the algorithm and the shared key, it is then possible to self-generate response codes to bypass the Challenge Response portion of PMfW messages. It is worth noting that audit events, if configured, will continue to function as intended.
As the shared key is a per-configuration value, this exploit can then be used on other machines using the same configuration.
Attack Vector(s):
The main threat is from access to the shared key. This has been accessed via the following methods, both of which require administrative privileges and enhanced protections to be disabled:
- Decryption of the encrypted shared key from the PMfW configuration file.
- Obtaining the shared key from memory via a debugger after decryption occurs.
Mitigation:
Privilege Management for Windows' Anti-Tamper Mechanism: PMfW's anti-tamper mechanisms ensure that anything elevated by the product is unable to tamper with the product through the use of a restricted group added to its security descriptor. As both of the attack vectors described require full administrative access to perform, they cannot be accomplished via a process elevated by the product.
Enable 'Agent Protection' Feature: The Agent Protection feature introduces protections against full administrator accounts, reducing their ability to access PMfW files and processes (amongst other items). If enabled, this protection prevents both of the attack vectors described above.
Configuration Hardening: Configuration hardening can be applied to messages using the Challenge Response feature by adding further authentication requirements, such as a password prompt.
