Actually it is not just an issue with AD design, but the AD design only makes it slightly worse. The underlying issue is that biometrics are not required to retrieve the biometric key from DPAPI and instead of authenticating with Windows Hello, any program could just simply ask DPAPI for the key.
My understanding from a quick reading is that Bitwarden essentially used Windows Hello to ask "is the user there" and if so, asked DAPI to give Bitwarden the secret vault credentials which it happily did because that's its job.
The problem with this was that the vault credentials in DAPI was not safe from other programs running as the user, nor from domain admins which could use the recovery key stored on the AD server (which they did in their attack after gaining admin access).
The solution was to use Windows Hello the way it was meant. That is, to store an asymmetric key pair, where the private key is hidden and protected by the biometrics or hardware security key, and use that to encrypt the secret vault credentials before storing them in DAPI.
Have you looked into how (whether?) Windows Hello actually checks which app is asking it to perform a private key operation?
On Android, this is tied to the app UID, and on iOS/macOS it's tied (I believe) to the developer team identifier. Hopefully there's a similar mechanism on Windows...?
It doesn't, or at least it doesn't for traditional applications. UWP (store apps) might, but I've never seen it.
To be fair, identifying an app when not delivered through some locked down store mechanism is actually problematic. DPAPI is tied to the user/machine account along with additional entropy provided by the application itself. It would be nice if MS added an option for DPAPI to use a hash of the name blessed by a CA in a valid code signing cert. However, that wouldn't matter in this case, since they had domain admin and could easily manipulate the cert store.
Self-signed code signing certificates would seem to be a good compromise (like e.g. Android does it).
Even a hash over the executable (+loaded DLLs) would work in a pinch. Breaks app binary updates, but for a “stay logged in and unlock via biometrics“ feature (as opposed to “store this credential forever”), that might be acceptable.
Yes, it requires an attacker in a powerful position with local access. However, it does not require special privileges or techniques that may trigger endpoint security (such as keyloggers or memory dumping). The only requirements are reading a JSON file and making a single Windows API call to retrieve the key.
It sounds like this required both local access AND a Active Directory Domain Administrator account (which should have triggered EDR at some point) which is the end game anyway. They just managed to hop out of the AD environment to a non-ad server because of the other password being in this vault. Glad they made it more user interactive to decrypt.
No, the final one only required local access as the user in question (this is mentioned after the one you're referring to that required AD Domain takeover).
It's the difference between the evil maid attack (someone sneaks a keylogger into your turned-off machine whilst cleaning your room) vs local privilege escalation (the sysadmin installs a game and now your entire network is owned).
Yes, it requires an attacker in a powerful position but it does not require physical access. Any program that runs in the user's session (without any special privileges) could have autonomously retrieved the biometric key and decrypted the vault without user interaction and without Bitwarden running.
Founded in 2004 RedTeam Pentesting helps numerous national and international companies in performing penetration tests for a wide variety of products, networks, websites and applications. By focusing solely on penetration tests RedTeam Pentesting is able to provide high technical skill and impartial advise to our customers. We only conduct hands-on penetration tests, no vulnerability scanners involved.
What we're looking for:
- Analytical thinking and motivation to learn new things
- Experience in offensive IT-security (i.e. Pentests, CTFs, exploit development)
- Knowledge of common networking protocols and topologies
- Ability to work with Linux and Windows
- Scripting/programming skills
- Very good German and good English
- Willingness to relocate to Aachen
- Ideally university degree or comparable education
Founded in 2004 RedTeam Pentesting helps numerous national and international companies in performing penetration tests for a wide variety of products, networks, websites and applications. By focusing solely on penetration tests RedTeam Pentesting is able to provide high technical skill and impartial advise to our customers.
What we're looking for:
- Analytical thinking and motivation to learn new things
- Experience in offensive IT-security (i.e. Pentests, CTFs, exploit development)
- Knowledge of common networking protocols and topologies
- Ability to work with Linux and Windows
- Scripting/programming skills
- Very good German and good English
- Willingness to relocate to Aachen
- Ideally university degree or comparable education
Founded in 2004 RedTeam Pentesting helps numerous national and international companies in performing penetration tests for a wide variety of products, networks, websites and applications. By focusing solely on penetration tests RedTeam Pentesting is able to provide high technical skill and impartial advise to our customers.
What we're looking for:
- Analytical thinking and motivation to learn new things
- Experience in offensive IT-security (i.e. Pentests, CTFs, exploit development)
- Knowledge of common networking protocols and topologies
- Ability to work with Linux and Windows
- Scripting/programming skills
- Very good German and good English
- Willingness to relocate to Aachen
- Ideally university degree or comparable education
Founded in 2004 RedTeam Pentesting helps numerous national and international companies in performing penetration tests for a wide variety of products, networks, websites and applications. By focusing solely on penetration tests RedTeam Pentesting is able to provide high technical skill and impartial advise to our customers.
What we're looking for:
- Analytical thinking and motivation to learn new things
- Experience in offensive IT-security (i.e. Pentests, CTFs, exploit development)
- Knowledge of common networking protocols and topologies
- Ability to work with Linux and Windows
- Scripting/programming skills
- Very good German and good English
- Willingness to relocate to Aachen
- Ideally university degree or comparable education
Founded in 2004 RedTeam Pentesting helps numerous national and international companies in performing penetration tests for a wide variety of products, networks, websites and applications. By focusing solely on penetration tests RedTeam Pentesting is able to provide high technical skill and impartial advise to our customers.
What we're looking for:
- Analytical thinking and motivation to learn new things
- Experience in offensive IT-security but not required (i.e. Pentests, CTFs, exploit development)
- Knowledge of common networking protocols and topologies
- Ability to work with Linux and Windows
- Scripting/programming skills
- Very good German and good English
- Willingness to relocate to Aachen
- Ideally university degree or comparable education
Founded in 2004 RedTeam Pentesting helps numerous national and international companies in performing penetration tests for a wide variety of products, networks, websites and applications. By focusing solely on penetration tests RedTeam Pentesting is able to provide high technical skill and impartial advise to our customers.
What we're looking for:
- Analytical thinking and motivation to learn new things
- Experience in offensive IT-security (i.e. Pentests, CTFs, exploit development)
- Knowledge of common networking protocols and topologies
- Ability to work with Linux and Windows
- Scripting/programming skills
- Very good German and good English
- Willingness to relocate to Aachen
- Ideally university degree or comparable education
