8000 privilege escalation on PowerShell 5.0 Fails if using aws ssm connection plugin · Issue #67119 · ansible/ansible · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
privilege escalation on PowerShell 5.0 Fails if using aws ssm connection plugin #67119
New issue
New issue
Closed as not planned
Closed as not planned
privilege escalation on PowerShell 5.0 Fails if using aws ssm connection plugin#67119
Labels
affects_2.10This issue/PR affects Ansible v2.10bugThis issue/PR relates to a bug.collectionRelated to Ansible Collections workcollection:ansible.windowssupport:communityThis issue/PR relates to code supported by the Ansible community.support:coreThis issue/PR relates to code supported by the Ansible Engineering Team.windowsWindows community
@raphaelschnaitl

Description

@raphaelschnaitl
raphaelschnaitl
opened on Feb 5, 2020
SUMMARY

privilege escalation (become) causes problems when running against windows using the aws_ssm connection plugin (introduced in this mr) on devel.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

win_shell
become

ANSIBLE VERSION
ansible 2.10.0.dev0
  config file = None
  configured module search path = ['/Users/rschn/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /Users/rschn/Source/siemens/ansible/lib/ansible
  executable location = /Users/rschn/Source/siemens/ansible/bin/ansible
  python version = 3.7.6 (default, Dec 30 2019, 19:38:26) [Clang 11.0.0 (clang-1100.0.33.16)]
CONFIGURATION
OS / ENVIRONMENT

Target OS:
Microsoft Windows Server 2016 Base
The Issue is not present on Windows Server 2012. At least as long as PowerShell is not updated. If I update PowerShell on Windows 2012 I get the same error. Looks PowerShell related.

PS Microsoft.PowerShell.Core\FileSystem::\\host\sinequa-data\configuration> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.14393.3383
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.14393.3383
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
STEPS TO REPRODUCE
  • You need a AWS EC2 instance as host to test this through the aws ssm connection plugin.
  • The Instance needs the required permissions to access aws ssm. (AmazonSSMRoleForInstancesQuickSetup)
  • You need local aws credentials and permissions that allow interacting with the target machine through ssm session manager.
  • aws cli and aws ssm session manager plugin installed on the control machine
  • a host configuration:
all:
  hosts:
    config_node:
      ansible_aws_ssm_instance_id: your_instance_id
      ansible_shell_type: powershell

If helpful, I can create an instance and provide temporary creds over pms, just let me know on keybase.

The following task fails:

- name: generate engine configuration
  vars:
    ansible_become: yes
    ansible_become_method: runas
    ansible_become_user: "{{ service_user_account }}"
    ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only
    ansible_become_password: "{{ service_user_password }}"
  win_whoami:
#  win_shell: "echo \"test\" >\"{{ unc_data_path }}configuration\\engines\\{{ engine_name }}.xml\""
#  win_copy:
#    dest: "{{ unc_data_path }}configuration\\engines\\{{ engine_name }}.xml"
#    force: yes
#    content: "{{ lookup('template', './Engine.xml') }}"
EXPECTED RESULTS

Configuring privilege escalation should not cause errors.

ACTUAL RESULTS
fatal: [ConfigNode_staging]: FAILED! => 
{
  "changed": false,
  "module_stderr": "",
  "module_stdout":"
{
  "impersonation_level": "SecurityAnonymous",
  "user_flags": [],
  "changed": false,
  "upn": "",
  "logon_type": "NewCredentials",
  "privileges": {
    "SeChangeNotifyPrivilege": "enabled-by-default",
    "SeRemoteShutdownPrivilege": "enabled-by-default",
    "SeBackupPrivilege": "enabled-by-default",
    "SeLoadDriverPrivilege": "enabled-by-default",
    "SeSystemProfilePrivilege": "enabled-by-default",
    "SeShutdownPrivilege": "enabled-by-default",
    "SeCreatePagefilePrivilege": "enabled-by-default",
    "SeSystemEnvironmentPrivilege": "enabled-by-default",
    "SeSystemtimePrivilege": "enabled-by-default",
    "SeSecurityPrivilege": "enabled-by-default",
    "SeDelegateSessionUserImpersonatePrivilege": "enabled-by-default",
    "SeIncreaseWorkingSetPrivilege": "enabled-by-default",
    "SeTakeOwnershipPrivilege": "enabled-by-default",
    "SeIncreaseQuotaPrivilege": "enabled-by-default",
    "SeCreateGlobalPrivilege": "enabled-by-default",
    "SeCreateSymbolicLinkPrivilege": "enabled-by-default",
    "SeRestorePrivilege": "enabled-by-default",
    "SeUndockPrivilege": "enabled-by-default",
    "SeImpersonatePrivilege": "enabled-by-default",
    "SeProfileSingleProcessPrivilege": "enabled-by-default",
    "SeDebugPrivilege": "enabled-by-default",
    "SeIncreaseBasePriorityPrivilege": "enabled-by-default",
    "SeManageVolumePrivilege": "enabled-by-default",
    "SeTimeZonePrivilege": "enabled-by-default"
  },
  "label": {
    "domain_name": "Mandatory Label",
    "sid": "S-1-16-12288",
    "account_name": "High Mandatory Level",
    "type": "Label"
  },
  "login_time": "2020-02-05T12:26:05.3118890+00:00",
  "groups": [
    {
      "account_name": "None",
      "domain_name": "AEU2AQASSIN001",
      "attributes": [
        "Mandatory",
        "Enabled by default",
        "Enabled"
      ],
      "sid": "S-1-5-21-37245824-2718835611-1917878046-513",
      "type": "Group"
    },
    {
      "account_name": "Everyone",
      "domain_name": "",
      "attributes": [
        "Mandatory",
        "Enabled by default",
        "Enabled"
      ],
      "sid": "S-1-1-0",
      "type": "WellKnownGroup"
    },
    {
      "account_name": "Local account and member of Administrators group",
      "domain_name": "NT AUTHORITY",
      "attributes": [
        "Mandatory",
        "Enabled by default",
        "Enabled"
      ],
      "sid": "S-1-5-114",
      "type": "WellKnownGroup"
    },
    {
      "account_name": "Administrators",
      "domain_name": "BUILTIN",
      "attributes": [
        "Mandatory",
        "Enabled by default",
        "Enabled",
        "Owner"
      ],
      "sid": "S-1-5-32-544",
      "type": "Alias"
    },
    {
      "account_name": "Users",
      "domain_name": "BUILTIN",
      "attributes": [
        "Mandatory",
        "Enabled by default",
        "Enabled"
      ],
      "sid": "S-1-5-32-545",
      "type": "Alias"
    },
    {
      "account_name": "INTERACTIVE",
      "domain_name": "NT AUTHORITY",
      "attributes": [
        "Mandatory",
        "Enabled by default",
        "Enabled"
      ],
      "sid": "S-1-5-4",
      "type": "WellKnownGroup"
    },
    {
      "account_name": "CONSOLE LOGON",
      "domain_name": "",
      "attributes": [
        "Mandatory",
        "Enabled by default",
        "Enabled"
      ],
      "sid": "S-1-2-1",
      "type": "WellKnownGroup"
    },
    {
      "account_name": "Authenticated Users",
      "domain_name": "NT AUTHORITY",
      "attributes": [
        "Mandatory",
        "Enabled by default",
        "Enabled"
      ],
      "sid": "S-1-5-11",
      "type": "WellKnownGroup"
    },
    {
      "account_name": "This Organization",
      "domain_name": "NT AUTHORITY",
      "attributes": [
        "Mandatory",
        "Enabled by default",
        "Enabled"
      ],
      "sid": "S-1-5-15",
      "type": "WellKnownGroup"
    },
    {
      "account_name": "Local account",
      "domain_name": "NT AUTHORITY",
      "attributes": [
        "Mandatory",
        "Enabled by default",
        "Enabled"
      ],
      "sid": "S-1-5-113",
      "type": "WellKnownGroup"
    },
    {
      "account_name": "High Mandatory Level",
      "domain_name": "Mandatory Label",
      "attributes": [
        "Integrity",
        "Integrity enabled"
      ],
      "sid": "S-1-16-12288",
      "type": "Label"
    }
  ],
  "account": {
    "domain_name": "AEU2AQASSIN001",
    "sid": "S-1-5-21-37245824-2718835611-1917878046-1009",
    "account_name": "ssm-user",
    "type": "User"
  },
  "login_domain": "AEU2AQASSIN001",
  "rights": [
    "SeNetworkLogonRight",
    "SeInteractiveLogonRight",
    "SeBatchLogonRight",
    "SeRemoteInteractiveLogonRight"
  ],
  "logon_server": "",
  "authentication_package": "Negotiate",
  "logon_id": 23341168,
  "dns_domain_name": "",
  "token_type": "TokenPrimary"
}#< CLIXML<Ob
6488
js Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"><Obj S="progress" RefId="0"><TN RefId="0"><T>System.Management.Automation.PSCustomObject</T><T>System.Object</T></TN><MS><I64 N="SourceId">1</I64><PR N="Record"><AV>Preparing modules for first use.</AV><AI>0</AI><Nil /><PI>-1</PI><PC>-1</PC><T>Completed</T><SR>-1</SR><SD> </SD></PR></MS></Obj></Objs>"
  "
  "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
  "rc": 0
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    affects_2.10This issue/PR affects Ansible v2.10bugThis issue/PR relates to a bug.collectionRelated to Ansible Collections workcollection:ansible.windowssupport:communityThis issue/PR relates to code supported by the Ansible community.support:coreThis issue/PR relates to code supported by the Ansible Engineering Team.windowsWindows community

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      0