Hackers Abuse Azure AD Abandoned Reply URLs to Escalate Privilege

Recent reports indicate that there has been a privilege escalation vulnerability discovered, which arises due to abandoned Active Directory URLs.

Threat actors can use this flaw to gain illegal authorization codes that can be used against Microsoft Power Platform API to gain access tokens and escalate their privileges.

Microsoft has patched these vulnerabilities as soon as they were reported. However, there are certain limitations for users to mitigate this issue. 

Abandoned Reply URLs

As per reports shared with Cyber Security News, researchers identified some abandoned URLs, which were then evaluated for their availability for registration with impacted Azure services.

During this method, an abandoned reply URL belonging to the Dynamics Data Integration app that was linked with the Azure Traffic manager (dataintegratorui[.]trafficmanager[.]net)profile was discovered.

Since this is one of many first-party Microsoft applications, no additional consent was required to initiate the attack. Nevertheless, the legitimate version of the application uses the getExternalData API for proxying a request to a set of limited downstream APIs.

Legitimate application flow (Source: Secureworks)

The requested URL of getExternalData (https: //<middletierservice>/api/GetExternalData) consists of three payload parameters namely ‘url‘, ‘requestData‘, and ‘requestType‘ and requested token ‘audience‘. With the help of the middle-tier service, the Power Platform downstream API and the Azure AD Graph API were accessible.

Request from client to middle-tier service (Source: Secureworks)

Threat actors abuse these platforms by redirecting a victim to a malicious server. Victims who visit them through the Azure AD have the authorization code in the URL, which is then exchanged for access tokens by the malicious server.

Threat actors then use the server to call the middle-tier service with the access token and the intended API.

Power Platform Privilege Escalation

Power Platform is a collaborative platform introduced by Microsoft with low-code tools to automate processes and other useful solutions for different use cases. It also provides integration with services like GitHub and other apps.

However, an API to this platform allows users to manage environments, change the settings, and get information about capacity consumption. Since this platform can be accessed by crafting the abandoned URL, it allows users to escalate their privileges.

It can also be used to abuse its administrative capabilities by creating an application user with a system administrator role or deleting the environment with an HTTP delete request.

Azure AD Graph API

In the case of Azure AD Graph API access, threat actors accessing them via the middle-tier service are limited to read-only access. Threat actors can only gather information but cannot write on the system. Though this serves as a protection, they can still gather additional information about the environment for initiating further attacks.

Request used for reading Azure AD (Source: Secureworks)

Furthermore, it was detected that even after deleting the first-party application, the issue is not addressed since the application has been pre-consented for all tenants.

Access token issuing can be addressed by disabling users’ sign-in ability and nullifying other legitimate application usage. For detailed information, Secureworks has provided a complete report.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Eswar

Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious actors…

19 hours ago

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce shoppers…

22 hours ago

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to malicious…

23 hours ago

Black Basta Ransomware Leveraging Social Engineering For Malware Deployment

Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in 2022…

23 hours ago

Critical Laravel Vulnerability CVE-2024-52301 Allows Unauthorized Access

CVE-2024-52301 is a critical vulnerability identified in Laravel, a widely used PHP framework for building…

1 day ago

4M+ WordPress Websites to Attacks, Following Plugin Vulnerability

A critical vulnerability has been discovered in the popular "Really Simple Security" WordPress plugin, formerly…

1 day ago