I Am Whoever I Say I Am: Infiltrating Identity Providers Using a 0Click Exploit

The presentation discusses a vulnerability in VMware's vRealize Operations Manager that allows for pre-authenticated remote code execution and root access.

• The vulnerability is caused by a deserialization flaw in the Apache Flex BlazeDS library used by vRealize Operations Manager.
• The exploit requires no outbound network access and works on default installations.
• The presentation provides a demo of the exploit achieving root access.
• Defenders should not rely on a single point of failure and should follow protocol specifications and watch for unsafe defaults.
• Attackers should check protocol implementations and vulnerabilities should be combined to increase effectiveness.

The presenter discovered a class called license checker that allowed for an authentication bypass without requiring outbound network access. This allowed the exploit to be targeted at the cloud. The exploit also modified the sudo script but cleaned up after itself.

Single Sign On (SSO) has become the dominant authentication scheme to login to several related, yet independent, software systems. At the core of this are the identity providers (IdP). Their role is to perform credential verification and to supply a signed token that service providers (SP) can consume for access control.On the other hand, when an application requests resources on behalf of a user and they're granted, then an authorization request is made to an authorization server (AS). The AS exchanges a code for a token which is presented to a resource server (RS) and the requested resources are consumed by the requesting application.Whilst OAuth2 handles authorization, and SAML handles authentication and as such Identity and Access Management (IAM) solutions have become very popular in the enterprise environment to handle both use cases. What if IAM solutions are vulnerable to critical remote attacks? They need to be exposed on the internet, trusted to guard identities and facilitate access to hundreds if not thousands of users and applications.To begin with, I will cover the foundational use-case for IAM solutions and some past in the wild attacks (ITW) attacks with the extent of their impact.Continuing, I will present the approach I took with the audit including the challenges and pitfalls that I was faced with and how I overcame them. The result concluding with an unauthenticated remote code execution as root by chaining multiple vulnerabilities on a very popular IAM solution used by several Fortune 500 companies and government organizations.The vulnerabilities will be discussed in detail including novel exploitation strategies for bypassing strict outbound network access. Finally, a live demo will be presented with a release of functional exploit code so that penetration testers and network administrators can validate and remediate these critical findings.