Bypass in Microsoft Azure AD
I discovered that Microsoft Azure AD is vulnerable to bypass by exploiting the ‘Administrator portal restriction’ configuration that is enforced on the client side. The exploit involves editing the HTTP response from Azure, using Burp to deceive the client-side JavaScript code.
When I communicated the problem to Microsoft, they claimed that it was a ‘feature’ — but then they fixed it in the following Azure update (but didn’t even fix it properly).
You can view the demo video of the exploit here:
https://www.youtube.com/watch?v=rnEQYDHqhmM&feature=youtu.be
Proof of Concept:
The following screenshot shows the ‘User settings’ page containing the ‘Administration portal’ configuration, which restricts access to the Azure AD administration portal. This page is only accessible to high-privileged and admin users.
A low-privileged user can bypass this configuration simply by changing the HTTP response code from 401 and 403 to 200! After making this change in the response, the forbidden page becomes available. Using this access, I was able to play with the site’s JavaScript in order to gain access to internal Azure information.
The following steps show the exploitation process:
- Log in as a low-privileged user and access the Azure Active Directory main page; the page will present an ‘Access denied’ message.
2. Intercept the HTTP traffic and create a rule that changes the HTTP response code from ‘401 Unauthorized’ and ‘403 Forbidden’ to ‘200 OK’, in order to deceive the client-side validation code.
3. Refresh the page without caching (Ctrl+F5) and … BOOM.
4. Use the following script (from the browser console) to enable the ‘Manage’ buttons:
$(“[aria-disabled=true]”).attr(“aria-disabled”, false);
5. Start gathering information about users, groups, applications, and more.
User enumeration:
Groups enumeration:
Application enumeration:
I reported this vulnerability to Microsoft, and they replied that “The UX is not designed as a security boundary” and that the low-privileged user can get the information from another place like PowerShell, and Graph API.
I told Microsoft that companies that take their security seriously implement ways to block users from accessing PowerShell and Graph API to their Azure account — and I gave them an example too.
Microsoft advised that the bypass is a ‘feature’, and closed the case. However, they also proceeded to FIX the ‘feature’ in their next update!
What do you think?
Regards, Uriel G.
