Well at least someone could log in using Entra ID!
darkamaul 52 minutes ago [-]
Impressive work!
This makes me wonder if Microsoft’s commitment to long-term support is part of the problem: instead of deprecating these ancient APIs they keep them on life-support, but forget some "regression-test" on how they interact with the shiny new surfaces.
Feels like P0’s Windows Registry talks, most of the vulns weren’t in the new code, they were in the how legacy behaviors interacted with newer features.
userbinator 5 hours ago [-]
failed to properly validate the originating tenant
One wonders whether those who designed all this ever considered what that field in the token is for.
The word "tenant" is also very telling --- you're just renting, and the "landlord" always has the keys.
nine_k 3 hours ago [-]
It's even worse: "Because of the nature of these Actor tokens, they are not subject to security policies like Conditional Access". This goes against all principles of good security design. A token that gives root access instead of specifying a particular action allowed just invites misuse, erroneous or malicious.
I would expect these tokens to be like JWT or macaroons, carrying specific permissions within specific bounds / tenants. Alas.
milkshakes 2 hours ago [-]
well, you're in luck, they are JWTs in fact. JWTs in JWTs, so extra secure.
Nursie 2 hours ago [-]
They are!
But the systems that have been built around them are bad. Firstly in issuing these ‘root’ tokens at all, and secondly in not checking the claims properly.
A JWT is only as good as the systems it’s used by.
pcj-github 4 hours ago [-]
Absolutely insane. Security so weak, it seems like you discovered an intentional backdoor.
> impersonation tokens, called “Actor tokens”, that Microsoft uses in their backend for service-to-service (S2S)
Literally every single "security" framework uses God-mode long-lived tokens for non-human identities.
(Except for SPIFFE, but that's a niche thing and used only for Kubernetes bullshit.)
The whole field of "security" is a farce staffed by clowns.
Sytten 1 hours ago [-]
I recently had to deal with Entra ID for the first time to setup Microsoft OAuth for our site and my god why is it so badly designed.
Just creating a tenant is a PITA and you get a default tenant you can't change without paying for Microsoft 365? Then you have subscriptions, Microsoft partners, Enteprise vs individual accounts, etc. All mixed with legacy AD naming and renaming, documentation with outdated screenshots, Microsoft Partners bullshit.
Propelloni 28 minutes ago [-]
There ist a whole industry clustered around this FUBAR that makes its living by helping companies navigate this shit. It has small and big players and they have no incentive to tell you that there is anything else you could use. The monthly Service fee is too tasty.
malnourish 3 hours ago [-]
I imagine this paid out quote the bounty; exploited, it's hard to think of a more damning security flaw.
TavsiE9s 2 hours ago [-]
Microsoft, Azure, why am I not surprised?
gfody 3 hours ago [-]
after 36 years kerberos seems pretty stable, secure, and well supported finally. why do we need Entra?
EvanAnderson 2 hours ago [-]
Kerberos doesn't have a good monthly recurring revenue "story".
jiggawatts 1 hours ago [-]
Kerberos doesn't work well on the web.
cr125rider 5 hours ago [-]
Wow the keys to all the enterprise castles! That’s wild!
jwpapi 5 hours ago [-]
Was there a bounty?
rootsudo 5 hours ago [-]
Oh man, I was close with this a few times as I ran powershell in different ISE windows and sometimes copied/pasted things over for different tenants, darn - it really seemed so obvious of an exploit!
This makes me wonder if Microsoft’s commitment to long-term support is part of the problem: instead of deprecating these ancient APIs they keep them on life-support, but forget some "regression-test" on how they interact with the shiny new surfaces.
Feels like P0’s Windows Registry talks, most of the vulns weren’t in the new code, they were in the how legacy behaviors interacted with newer features.
One wonders whether those who designed all this ever considered what that field in the token is for.
The word "tenant" is also very telling --- you're just renting, and the "landlord" always has the keys.
I would expect these tokens to be like JWT or macaroons, carrying specific permissions within specific bounds / tenants. Alas.
But the systems that have been built around them are bad. Firstly in issuing these ‘root’ tokens at all, and secondly in not checking the claims properly.
A JWT is only as good as the systems it’s used by.
Literally every single "security" framework uses God-mode long-lived tokens for non-human identities.
(Except for SPIFFE, but that's a niche thing and used only for Kubernetes bullshit.)
The whole field of "security" is a farce staffed by clowns.
Just creating a tenant is a PITA and you get a default tenant you can't change without paying for Microsoft 365? Then you have subscriptions, Microsoft partners, Enteprise vs individual accounts, etc. All mixed with legacy AD naming and renaming, documentation with outdated screenshots, Microsoft Partners bullshit.