Azure AD Abandoned Reply URLs to Escalate Privilege

Recent reports indicate that there has been a privilege escalation vulnerability discovered, which arises due to abandoned Active Directory URLs.

Threat actors can use this flaw to gain illegal authorization codes that can be used against Microsoft Power Platform API to gain access tokens and escalate their privileges.

Microsoft has patched these vulnerabilities as soon as they were reported. However, there are certain limitations for users to mitigate this issue. 

Abandoned Reply URLs

As per reports shared with Cyber Security News, researchers identified some abandoned URLs, which were then evaluated for their availability for registration with impacted Azure services.

During this method, an abandoned reply URL belonging to the Dynamics Data Integration app that was linked with the Azure Traffic manager (dataintegratorui[.]trafficmanager[.]net)profile was discovered.

Since this is one of many first-party Microsoft applications, no additional consent was required to initiate the attack. Nevertheless, the legitimate version of the application uses the getExternalData API for proxying a request to a set of limited downstream APIs.

Legitimate application flow (Source: Secureworks)

The requested URL of getExternalData (https: //<middletierservice>/api/GetExternalData) consists of three payload parameters namely ‘url‘, ‘requestData‘, and ‘requestType‘ and requested token ‘audience‘. With the help of the middle-tier service, the Power Platform downstream API and the Azure AD Graph API were accessible.

Request from client to middle-tier service (Source: Secureworks)

Threat actors abuse these platforms by redirecting a victim to a malicious server. Victims who visit them through the Azure AD have the authorization code in the URL, which is then exchanged for access tokens by the malicious server.

Threat actors then use the server to call the middle-tier service with the access token and the intended API.

Power Platform Privilege Escalation

Power Platform is a collaborative platform introduced by Microsoft with low-code tools to automate processes and other useful solutions for different use cases. It also provides integration with services like GitHub and other apps.

However, an API to this platform allows users to manage environments, change the settings, and get information about capacity consumption. Since this platform can be accessed by crafting the abandoned URL, it allows users to escalate their privileges.

It can also be used to abuse its administrative capabilities by creating an application user with a system administrator role or deleting the environment with an HTTP delete request.

Azure AD Graph API

In the case of Azure AD Graph API access, threat actors accessing them via the middle-tier service are limited to read-only access. Threat actors can only gather information but cannot write on the system. Though this serves as a protection, they can still gather additional information about the environment for initiating further attacks.

Request used for reading Azure AD (Source: Secureworks)

Furthermore, it was detected that even after deleting the first-party application, the issue is not addressed since the application has been pre-consented for all tenants.

Access token issuing can be addressed by disabling users’ sign-in ability and nullifying other legitimate application usage. For detailed information, Secureworks has provided a complete report.

Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.

Leave a Reply

Your email address will not be published. Required fields are marked *