_______ __ _______
| | |.---.-..----.| |--..-----..----. | | |.-----..--.--.--..-----.
| || _ || __|| < | -__|| _| | || -__|| | | ||__ --|
|___|___||___._||____||__|__||_____||__| |__|____||_____||________||_____|
on Gopher (inofficial)
URI Visit Hacker News on the Web
COMMENT PAGE FOR:
URI One Token to rule them all â Obtaining Global Admin in every Entra ID tenant
VoidWhisperer wrote 1 hour 9 min ago:
I feel like I remember a similar attack related to Entra ID from a
while ago, although I can't remember exactly what it was (maybe [0] or
[1]?).. I understand that this is a complex system, but I would be
concerned with the number of relatively high severity vulnerabilities
being found in it.
[0]: [1]:
URI [1]: https://securitylabs.datadoghq.com/articles/i-spy-escalating-t...
URI [2]: https://www.semperis.com/blog/unoauthorized-privilege-elevatio...
buster wrote 6 hours 21 min ago:
Reminds me of this dutch guy "obtaining all data from random Microsoft
365 tenants": [1] Great talk, by the way.
URI [1]: https://media.ccc.de/v/38c3-from-simulation-to-tenant-takeover
Freak_NL wrote 7 hours 15 min ago:
The linked CVE has something that strikes me as odd. It marks this
exploit's 'Attack Complexity' as 'High', meaning:
> A successful attack depends on conditions beyond the attacker's
control. That is, a successful attack cannot be accomplished at will,
but requires the attacker to invest in some measurable amount of effort
in preparation or execution against the vulnerable component before a
successful attack can be expected. For example, a successful attack may
require an attacker to: gather knowledge about the environment in which
the vulnerable target/component exists; prepare the target environment
to improve exploit reliability; or inject themselves into the logical
network path between the target and the resource requested by the
victim in order to read and/or modify network communications (e.g., a
man in the middle attack).
But reading Dirk-jan's article, really all you need is basic admin
knowledge of Entra ID etc., and the netId of any single user on the
targetted environment, which can be found using brute force
enumeration. The rest is public knowledge.
Strictly speaking the attacker would need to invest in some measurable
amount of effort, but that seems like stretching the definition to make
the CVE look less awkward.
lukev wrote 35 min ago:
To be fair, doing even the most basic task in Entra as an
authenticated user is also "high complexity", so the difficulty of
attacking it can only go up from there.
lucasRW wrote 6 hours 10 min ago:
"really all you need is basic admin knowledge of Entra ID"
> Yes, because any "basic user of Entra ID with basic knowledge of
it" has found undocumented types of tokens, and stringed them with
another Graph API vulnerability, to impersonate users...
Basic Entra ID users don't even know what an Entra ID token is
exactly.
Freak_NL wrote 5 hours 42 min ago:
Having knowledge of the exploit itself does not seem to factor in
to determining the complexity of the exploit. Rather, it appears to
document the complexity of executing it against any given target,
given that the exploit is known to the attacker (and someone else
has done the hard work of finding it). See the 'A successful attack
depends on conditions beyond the attacker's control.' part in the
documentation of 'high'.
In this exploit, there are hardly any conditions beyond the
attacker's control which must be satisfied.
Arch-TK wrote 7 hours 0 min ago:
In my personal experience as someone who has spent the last 6 years
of his career in the security industry, almost nobody actually uses
CVSS the way it is intended, they just almost arbitrarily tweak the
CVSS inputs to produce an output they like.
You are correct that the attack complexity probably shouldn't be high
in this case. But presumably the person calculating the CVSS score
thought it was too high if attack complexity wasn't set to high.
CVSS has other issues, like people trying to apply it to things that
are not vulnerabilities. I would ignore most CVSS scores you see and
just read what the issue is instead and make your own judgement call.
nl wrote 8 hours 51 min ago:
Well at least someone could log in using Entra ID!
darkamaul wrote 9 hours 6 min ago:
Impressive work!
This makes me wonder if Microsoftâs commitment to long-term support
is part of the problem: instead of deprecating these ancient APIs they
keep them on life-support, but forget some "regression-test" on how
they interact with the shiny new surfaces.
Feels like P0âs Windows Registry talks, most of the vulns werenât
in the new code, they were in the how legacy behaviors interacted with
newer features.
tonyhart7 wrote 7 hours 32 min ago:
Microsoft also forced to keep these legacy code tbh
You see, most enterprise client with big enough contract can force to
do this and MS need to support this customer until they migrate or if
they ever be at all
I may argue for any big legacy enterprise software, its easier to
rewrite the damn whole thing than to support the legacy code forever
but they cant do that even if they have motivation/resource
the8472 wrote 6 hours 32 min ago:
They could put it behind a flag, like LANMAN auth.
Sytten wrote 9 hours 24 min ago:
I recently had to deal with Entra ID for the first time to setup
Microsoft OAuth for our site and my god why is it so badly designed.
Just creating a tenant is a PITA and you get a default tenant you can't
change without paying for Microsoft 365? Then you have subscriptions,
Microsoft partners, Enteprise vs individual accounts, etc. All mixed
with legacy AD naming and renaming, documentation with outdated
screenshots, Microsoft Partners bullshit.
Kneecaps07 wrote 2 hours 57 min ago:
It takes like two minutes to create a tenant. Click Next a bunch,
enter a credit card, you're done.
And yes they have different types of accounts and methods of billing.
Their customer base is probably in the hundreds of millions. People
are going to want options. I don't really see the issue there.
7bit wrote 5 hours 1 min ago:
> Just creating a tenant is a PITA and you get a default tenant you
can't change without paying for Microsoft 365?
What exactly ist a PITA when creating a tenant? It's straightforward.
And what do you mean by default tenant that you cannot change unless
you pay? Nothing comes to mind where that would be the case.
Are you sure you're not just using it wrong?
Sytten wrote 2 hours 11 min ago:
You literally cannot change your tenant ID and the form by default
picks a random for you. There is a hidden form I found on reddit
that lets you pick a tenant ID but wtf. Also by default you can't
create a tenant without an existing Microsoft account, which
everybody acknowledge is a chicken and egg problem.
Propelloni wrote 8 hours 42 min ago:
There ist a whole industry clustered around this FUBAR that makes its
living by helping companies navigate this shit. It has small and big
players and they have no incentive to tell you that there is anything
else you could use. The monthly Service fee is too tasty.
TavsiE9s wrote 10 hours 31 min ago:
Microsoft, Azure, why am I not surprised?
gfody wrote 10 hours 48 min ago:
after 36 years kerberos seems pretty stable, secure, and well supported
finally. why do we need Entra?
yabones wrote 1 hour 58 min ago:
One of the bigger issues is the double-hop problem. It's both an
important security boundary, and one of the biggest butt-pains about
the protocol. [1] It works great within a single organization
hierarchy, but becomes pretty painful for anything we'd consider
"SaaS"
URI [1]: https://techcommunity.microsoft.com/blog/askds/understanding...
jiggawatts wrote 9 hours 32 min ago:
Kerberos doesn't work well on the web.
zbentley wrote 6 hours 29 min ago:
Citation needed. Other than throughput/reliability risks posed by
the revocation check flow (which I know arenât the reason people
donât use Kerberos on the web, since the big auth providersâ
SPOFiness in this area is way worse, as proven by countless outages
induced by so-and-so rickety auth component failing bringing down a
major provider), Kerberosâ adoption issues on the web have more
to do with network effect and monetization than technical
limitations with the protocol.
EvanAnderson wrote 9 hours 56 min ago:
Kerberos doesn't have a good monthly recurring revenue "story".
malnourish wrote 11 hours 39 min ago:
I imagine this paid out quote the bounty; exploited, it's hard to think
of a more damning security flaw.
pcj-github wrote 12 hours 0 min ago:
Absolutely insane. Security so weak, it seems like you discovered an
intentional backdoor.
otabdeveloper4 wrote 9 hours 57 min ago:
> impersonation tokens, called âActor tokensâ, that Microsoft
uses in their backend for service-to-service (S2S)
Literally every single "security" framework uses God-mode long-lived
tokens for non-human identities.
(Except for SPIFFE, but that's a niche thing and used only for
Kubernetes bullshit.)
The whole field of "security" is a farce staffed by clowns.
cyberax wrote 8 hours 10 min ago:
AWS had switched from using something like this ("injection
tokens") to just regular IAM roles, though managed by the AWS.
The only special permission that services (actually, the AWS
accounts that they use) inside the AWS have is access to "service
principals". The service roles inside customer accounts then use
them to grant access.
AWS IAM is painful, but it shows that you can design a secure
permission system.
otabdeveloper4 wrote 6 hours 36 min ago:
You can add many layers of indirection, but unless you're
actually authenticating that a system service is using the
credentials (and not, say, a user or a script) then it boils down
to a long-lived token at the end.
oneplane wrote 1 hour 19 min ago:
If the long-lived token is actually a private key that is
non-retrievable and the secrecy and origin is attested by a
HSM, I'm fine with that.
noctune wrote 4 hours 23 min ago:
You can condition IAM on Nitro attestation, so that's doable
(if a lot more work than usual).
cookiengineer wrote 11 hours 26 min ago:
My NSL detector is off the charts here.
gnarlynarwhal42 wrote 10 hours 22 min ago:
For anyone not familiar with the abbreviation:
URI [1]: https://www.eff.org/issues/national-security-letters/faq
rootsudo wrote 12 hours 59 min ago:
Oh man, I was close with this a few times as I ran powershell in
different ISE windows and sometimes copied/pasted things over for
different tenants, darn - it really seemed so obvious of an exploit!
userbinator wrote 13 hours 9 min ago:
failed to properly validate the originating tenant
One wonders whether those who designed all this ever considered what
that field in the token is for.
The word "tenant" is also very telling --- you're just renting, and the
"landlord" always has the keys.
viraptor wrote 4 hours 37 min ago:
It's the standard naming for the services. Multi-tenancy is a thing,
but landlords are not in this naming context.
nine_k wrote 11 hours 14 min ago:
It's even worse: "Because of the nature of these Actor tokens, they
are not subject to security policies like Conditional Access". This
goes against all principles of good security design. A token that
gives root access instead of specifying a particular action allowed
just invites misuse, erroneous or malicious.
I would expect these tokens to be like JWT or macaroons, carrying
specific permissions within specific bounds / tenants. Alas.
Nursie wrote 10 hours 11 min ago:
They are!
But the systems that have been built around them are bad. Firstly
in issuing these ârootâ tokens at all, and secondly in not
checking the claims properly.
A JWT is only as good as the systems itâs used by.
milkshakes wrote 10 hours 18 min ago:
well, you're in luck, they are JWTs in fact. JWTs in JWTs, so extra
secure.
Freak_NL wrote 7 hours 24 min ago:
And of course, because the inner JWT is already signed, why
bother signing the outer one? Just validate the inner one!
I'm feeling sorry for those poor abused JWTs in this
vulnerability.
cr125rider wrote 13 hours 27 min ago:
Wow the keys to all the enterprise castles! Thatâs wild!
jwpapi wrote 13 hours 40 min ago:
Was there a bounty?
DIR <- back to front page