Azure VM Insights Elevation of Privilege Vulnerability

In this blog, we present an arbitrary File Deletes vulnerability in Azure VM Insights which will lead to EOP.

## Background

The Azure VM Insights is a component which helps to monitor your virtual machines and virtual machine scale sets. It displays an inventory of your existing VMs and provides a guided experience to enable base monitoring for them. It also monitors the performance and health of your virtual machines and virtual machine scale sets by collecting data on their running processes and dependencies on other resources. 

Administrators can enable VM Insights feature for VMs in Azure through the Azure portal. This enables Administrators to constantly monitor the operational status of multiple VMs in the cloud via the VM Insights dashboard, without the need to log in to specific VMs. Therefore, Azure VM Insights is widely used in complex cloud environments for real-time monitoring of multiple hosts in the cloud.

Once VM Insights feature is enabled, the corresponding VM Insights Agent (MonAgentCore.exe) will be installed on the respective VM and runs with elevated privileges. The task of collecting VM performance data and generating relevant log files is handled by the VM Insights Agent. Additionally, the Agent's working directory, `C:\Resources\Directory\AMADataStore.{COMPUTER_NAME}` will be created. Different subdirectories under this directory store various telemetry data collected by the Agent. When necessary, the Agent reads the stored telemetry data and uploads it to the cloud. Administrators  can then view and analyze this data through the VM Insights dashboard. Detailed information can be found [here](https://learn.microsoft.com/en-us/azure/azure-monitor/insights/insights-overview).

Due to the widespread deployment of Azure VM Insights in enterprise cloud environments, the Azure VM Insights Agent is extensively deployed on cloud hosts. Consequently, any security issues arising with it could pose significant risks to the security of enterprise servers. Moreover, since the Agent operates with elevated privileges, this provides a good target for elevation of privilege vulnerability hunting. Therefore, we invested some time in conducting security research on the Azure VM Insights Agent and identified several issues. Unfortunately, MSRC classified them as "Moderate" and declined to address them. 

## The Vulnerability

When analyzing the behavior of the local VM Insights Agent, we discovered that MonAgentCore.exe will periodically queries and deletes files : `C:\Resources\Directory\AMADataStore.{COMPUTER_NAME}\Packets\*.tpf`. Although we did not find any information about what `.tpf` files are used for, we quickly realized that this could be vulnerable to path redirection attacks.

The only issue is that the default security attributes of `C:\Resources\Directory\AMADataStore.{COMPUTER_NAME}\Packets` do not allow normal users to modify it to point to arbitrary location as a junction. However, if a malicious normal user creates this directory before the installation of the VM Insights Agent, they would have full control over the directory. When the VM Insights is enabled, this would allow attackers to perform arbitrary file deletion by creating symlink from `C:\Resources\Directory\AMADataStore.{COMPUTER_NAME}\Packets\*.tpf` to arbitrary files.

Since the Agent performs periodic deletion operations (approximately every few minutes). Attackers only need to create symlink and wait a few minutes for the deletion to occur.

### From Arbitrary File Deletes to Code Execution

The technical details of how to escalate from arbitrary file deletes to arbitrary code execution are not the focus of this article. However, it is feasible, and there are publicly available [articles](https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks) that explain the relevant technical details. Readers can explore them on your own.

### Timeline

2023.12.18  Report submitted.

2023.12.21  We update additional information.

2023.12.23  MSRC responded that : "We have taken a note of this."

2024.01.11  We asked for the updates but got no response.

2024.01.29  We asked for the updates together with other cases.

2024.01.30  MSRC responded that : "this case has been assessed as Moderate severity and does not meet MSRCs bar for immediate servicing"

2024.01.30  We once again emphasized the seriousness of this vulnerability and asked the MSRC to review the vulnerability again and informed them that we will make the vulnerability details public in a few weeks.

2024.01.31  MSRC responded that : "Our dedicated team is actively investigating your findings, and we will keep you informed of any changes to the severity rating as we progress."

2024.02.21  We notified MSRC of the date the details were made public.

2024.02.26  We send this article to MSRC.

2024.03.01  Details released.

2024.05.16  Vulnerability Patched(CVE-2024-30060)