alt Hacker NewsOne Token to rule them all – Obtaining Global Admin in every Entra ID tenant
Comments
Well at least someone could log in using Entra ID!
failed to properly validate the originating tenant
One wonders whether those who designed all this ever considered what that field in the token is for.
The word "tenant" is also very telling --- you're just renting, and the "landlord" always has the keys.
Impressive work!
This makes me wonder if Microsoft’s commitment to long-term support is part of the problem: instead of deprecating these ancient APIs they keep them on life-support, but forget some "regression-test" on how they interact with the shiny new surfaces.
Feels like P0’s Windows Registry talks, most of the vulns weren’t in the new code, they were in the how legacy behaviors interacted with newer features.
Absolutely insane. Security so weak, it seems like you discovered an intentional backdoor.
I imagine this paid out quote the bounty; exploited, it's hard to think of a more damning security flaw.
I recently had to deal with Entra ID for the first time to setup Microsoft OAuth for our site and my god why is it so badly designed.
Just creating a tenant is a PITA and you get a default tenant you can't change without paying for Microsoft 365? Then you have subscriptions, Microsoft partners, Enteprise vs individual accounts, etc. All mixed with legacy AD naming and renaming, documentation with outdated screenshots, Microsoft Partners bullshit.
Wow the keys to all the enterprise castles! That’s wild!
Microsoft, Azure, why am I not surprised?
after 36 years kerberos seems pretty stable, secure, and well supported finally. why do we need Entra?
Was there a bounty?
Oh man, I was close with this a few times as I ran powershell in different ISE windows and sometimes copied/pasted things over for different tenants, darn - it really seemed so obvious of an exploit!
The linked CVE has something that strikes me as odd. It marks this exploit's 'Attack Complexity' as 'High', meaning:
> A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected. For example, a successful attack may require an attacker to: gather knowledge about the environment in which the vulnerable target/component exists; prepare the target environment to improve exploit reliability; or inject themselves into the logical network path between the target and the resource requested by the victim in order to read and/or modify network communications (e.g., a man in the middle attack).
But reading Dirk-jan's article, really all you need is basic admin knowledge of Entra ID etc., and the netId of any single user on the targetted environment, which can be found using brute force enumeration. The rest is public knowledge.
Strictly speaking the attacker would need to invest in some measurable amount of effort, but that seems like stretching the definition to make the CVE look less awkward.