Tuesday, December 3, 2024
HomeAzureHackers Abuse Azure AD Abandoned Reply URLs to Escalate Privilege

Hackers Abuse Azure AD Abandoned Reply URLs to Escalate Privilege

Published on

SIEM as a Service

Recent reports indicate that there has been a privilege escalation vulnerability discovered, which arises due to abandoned Active Directory URLs.

Threat actors can use this flaw to gain illegal authorization codes that can be used against Microsoft Power Platform API to gain access tokens and escalate their privileges.

Microsoft has patched these vulnerabilities as soon as they were reported. However, there are certain limitations for users to mitigate this issue. 

- Advertisement - SIEM as a Service

Abandoned Reply URLs

As per reports shared with Cyber Security News, researchers identified some abandoned URLs, which were then evaluated for their availability for registration with impacted Azure services.

During this method, an abandoned reply URL belonging to the Dynamics Data Integration app that was linked with the Azure Traffic manager (dataintegratorui[.]trafficmanager[.]net)profile was discovered.

Since this is one of many first-party Microsoft applications, no additional consent was required to initiate the attack. Nevertheless, the legitimate version of the application uses the getExternalData API for proxying a request to a set of limited downstream APIs.

Legitimate application flow (Source: Secureworks)

The requested URL of getExternalData (https: //<middletierservice>/api/GetExternalData) consists of three payload parameters namely ‘url‘, ‘requestData‘, and ‘requestType‘ and requested token ‘audience‘. With the help of the middle-tier service, the Power Platform downstream API and the Azure AD Graph API were accessible.

Request from client to middle-tier service (Source: Secureworks)

Threat actors abuse these platforms by redirecting a victim to a malicious server. Victims who visit them through the Azure AD have the authorization code in the URL, which is then exchanged for access tokens by the malicious server.

Threat actors then use the server to call the middle-tier service with the access token and the intended API.

Power Platform Privilege Escalation

Power Platform is a collaborative platform introduced by Microsoft with low-code tools to automate processes and other useful solutions for different use cases. It also provides integration with services like GitHub and other apps.

However, an API to this platform allows users to manage environments, change the settings, and get information about capacity consumption. Since this platform can be accessed by crafting the abandoned URL, it allows users to escalate their privileges.

It can also be used to abuse its administrative capabilities by creating an application user with a system administrator role or deleting the environment with an HTTP delete request.

Azure AD Graph API

In the case of Azure AD Graph API access, threat actors accessing them via the middle-tier service are limited to read-only access. Threat actors can only gather information but cannot write on the system. Though this serves as a protection, they can still gather additional information about the environment for initiating further attacks.

Request used for reading Azure AD (Source: Secureworks)

Furthermore, it was detected that even after deleting the first-party application, the issue is not addressed since the application has been pre-consented for all tenants.

Access token issuing can be addressed by disabling users’ sign-in ability and nullifying other legitimate application usage. For detailed information, Secureworks has provided a complete report.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Threat Actors Allegedly Claims Breach of EazyDiner Reservation Platform

Reports have emerged of a potential data breach involving EazyDiner, a leading restaurant reservation...

Salesforce Applications Vulnerability Could Allow Full Account Takeover

A critical vulnerability has been discovered in Salesforce applications that could potentially allow a...

TP-Link HomeShield Function Vulnerability Let Attackers Inject Malicious Commands

A significant vulnerability has been identified in TP-Link's HomeShield function, affecting a range of...

ElizaRAT Exploits Google, Telegram, & Slack Services For C2 Communications

APT36, a Pakistani cyber-espionage group, has recently upgraded its arsenal with ElizaRAT, a sophisticated...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Threat Actors Allegedly Claims Breach of EazyDiner Reservation Platform

Reports have emerged of a potential data breach involving EazyDiner, a leading restaurant reservation...

Salesforce Applications Vulnerability Could Allow Full Account Takeover

A critical vulnerability has been discovered in Salesforce applications that could potentially allow a...

TP-Link HomeShield Function Vulnerability Let Attackers Inject Malicious Commands

A significant vulnerability has been identified in TP-Link's HomeShield function, affecting a range of...