| ▲ | One Token to rule them all – Obtaining Global Admin in every Entra ID tenant(dirkjanm.io) |
| 318 points by colinprince 4 days ago | 52 comments |
| |
|
| ▲ | Freak_NL 4 days ago | parent | next [-] |
| The linked CVE has something that strikes me as odd. It marks this exploit's 'Attack Complexity' as 'High', meaning: > A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected. For example, a successful attack may require an attacker to: gather knowledge about the environment in which the vulnerable target/component exists; prepare the target environment to improve exploit reliability; or inject themselves into the logical network path between the target and the resource requested by the victim in order to read and/or modify network communications (e.g., a man in the middle attack). But reading Dirk-jan's article, really all you need is basic admin knowledge of Entra ID etc., and the netId of any single user on the targetted environment, which can be found using brute force enumeration. The rest is public knowledge. Strictly speaking the attacker would need to invest in some measurable amount of effort, but that seems like stretching the definition to make the CVE look less awkward. |
| |
| ▲ | Arch-TK 4 days ago | parent | next [-] | | In my personal experience as someone who has spent the last 6 years of his career in the security industry, almost nobody actually uses CVSS the way it is intended, they just almost arbitrarily tweak the CVSS inputs to produce an output they like. You are correct that the attack complexity probably shouldn't be high in this case. But presumably the person calculating the CVSS score thought it was too high if attack complexity wasn't set to high. CVSS has other issues, like people trying to apply it to things that are not vulnerabilities. I would ignore most CVSS scores you see and just read what the issue is instead and make your own judgement call. | |
| ▲ | lukev 4 days ago | parent | prev | next [-] | | To be fair, doing even the most basic task in Entra as an authenticated user is also "high complexity", so the difficulty of attacking it can only go up from there. | |
| ▲ | jodrellblank 3 days ago | parent | prev | next [-] | | "1.1 18 Sep 2025 The CVSS score for this vulnerability has been updated to reflect a change in the Attack Complexity metric from High to Low." https://msrc.microsoft.com/update-guide/vulnerability/CVE-20... | | | |
| ▲ | lucasRW 4 days ago | parent | prev [-] | | "really all you need is basic admin knowledge of Entra ID" > Yes, because any "basic user of Entra ID with basic knowledge of it" has found undocumented types of tokens, and stringed them with another Graph API vulnerability, to impersonate users... Basic Entra ID users don't even know what an Entra ID token is exactly. | | |
| ▲ | Freak_NL 4 days ago | parent [-] | | Having knowledge of the exploit itself does not seem to factor in to determining the complexity of the exploit. Rather, it appears to document the complexity of executing it against any given target, given that the exploit is known to the attacker (and someone else has done the hard work of finding it). See the 'A successful attack depends on conditions beyond the attacker's control.' part in the documentation of 'high'. In this exploit, there are hardly any conditions beyond the attacker's control which must be satisfied. |
|
|
|
| ▲ | nl 4 days ago | parent | prev | next [-] |
| Well at least someone could log in using Entra ID! |
| |
|
| ▲ | userbinator 4 days ago | parent | prev | next [-] |
| failed to properly validate the originating tenant One wonders whether those who designed all this ever considered what that field in the token is for. The word "tenant" is also very telling --- you're just renting, and the "landlord" always has the keys. |
| |
| ▲ | nine_k 4 days ago | parent | next [-] | | It's even worse: "Because of the nature of these Actor tokens, they are not subject to security policies like Conditional Access". This goes against all principles of good security design. A token that gives root access instead of specifying a particular action allowed just invites misuse, erroneous or malicious. I would expect these tokens to be like JWT or macaroons, carrying specific permissions within specific bounds / tenants. Alas. | | |
| ▲ | milkshakes 4 days ago | parent | next [-] | | well, you're in luck, they are JWTs in fact. JWTs in JWTs, so extra secure. | | |
| ▲ | Freak_NL 4 days ago | parent [-] | | And of course, because the inner JWT is already signed, why bother signing the outer one? Just validate the inner one! I'm feeling sorry for those poor abused JWTs in this vulnerability. |
| |
| ▲ | Nursie 4 days ago | parent | prev [-] | | They are! But the systems that have been built around them are bad. Firstly in issuing these ‘root’ tokens at all, and secondly in not checking the claims properly. A JWT is only as good as the systems it’s used by. |
| |
| ▲ | viraptor 4 days ago | parent | prev [-] | | It's the standard naming for the services. Multi-tenancy is a thing, but landlords are not in this naming context. |
|
|
| ▲ | darkamaul 4 days ago | parent | prev | next [-] |
| Impressive work! This makes me wonder if Microsoft’s commitment to long-term support is part of the problem: instead of deprecating these ancient APIs they keep them on life-support, but forget some "regression-test" on how they interact with the shiny new surfaces. Feels like P0’s Windows Registry talks, most of the vulns weren’t in the new code, they were in the how legacy behaviors interacted with newer features. |
| |
| ▲ | tonyhart7 4 days ago | parent [-] | | Microsoft also forced to keep these legacy code tbh You see, most enterprise client with big enough contract can force to do this and MS need to support this customer until they migrate or if they ever be at all I may argue for any big legacy enterprise software, its easier to rewrite the damn whole thing than to support the legacy code forever but they cant do that even if they have motivation/resource | | |
|
|
| ▲ | pcj-github 4 days ago | parent | prev | next [-] |
| Absolutely insane. Security so weak, it seems like you discovered an intentional backdoor. |
| |
| ▲ | cookiengineer 4 days ago | parent | next [-] | | My NSL detector is off the charts here. | | | |
| ▲ | otabdeveloper4 4 days ago | parent | prev [-] | | > impersonation tokens, called “Actor tokens”, that Microsoft uses in their backend for service-to-service (S2S) Literally every single "security" framework uses God-mode long-lived tokens for non-human identities. (Except for SPIFFE, but that's a niche thing and used only for Kubernetes bullshit.) The whole field of "security" is a farce staffed by clowns. | | |
| ▲ | cyberax 4 days ago | parent [-] | | AWS had switched from using something like this ("injection tokens") to just regular IAM roles, though managed by the AWS. The only special permission that services (actually, the AWS accounts that they use) inside the AWS have is access to "service principals". The service roles inside customer accounts then use them to grant access. AWS IAM is painful, but it shows that you can design a secure permission system. | | |
| ▲ | otabdeveloper4 4 days ago | parent [-] | | You can add many layers of indirection, but unless you're actually authenticating that a system service is using the credentials (and not, say, a user or a script) then it boils down to a long-lived token at the end. | | |
| ▲ | noctune 4 days ago | parent | next [-] | | You can condition IAM on Nitro attestation, so that's doable (if a lot more work than usual). | |
| ▲ | cyberax 3 days ago | parent | prev | next [-] | | Regular individual systems that run the code inside the AWS generally do not have long-lived tokens. The credentials are ultimately _pushed_ to the systems running the services by a small set of highly secured and monitored privileged systems. You get to see that even with the regular public AWS/EC2. Instance roles are managed externally from the customers' points of view. | | |
| ▲ | otabdeveloper4 3 days ago | parent [-] | | > highly secured and monitored privileged systems So, ultimately "keys to the castle" aka a long password? | | |
| ▲ | cyberax 2 days ago | parent [-] | | It's a bit more complicated :) There are HSMs and code signing thrown into the mix. They went into total overengineering mode when designing it. But ultimately, any realistic design will eventually have systems that have to be trusted. It's just a question of isolating them. |
|
| |
| ▲ | oneplane 4 days ago | parent | prev [-] | | If the long-lived token is actually a private key that is non-retrievable and the secrecy and origin is attested by a HSM, I'm fine with that. |
|
|
|
|
|
| ▲ | buster 4 days ago | parent | prev | next [-] |
| Reminds me of this dutch guy "obtaining all data from random Microsoft 365 tenants": https://media.ccc.de/v/38c3-from-simulation-to-tenant-takeov... Great talk, by the way. |
|
| ▲ | gfody 4 days ago | parent | prev | next [-] |
| after 36 years kerberos seems pretty stable, secure, and well supported finally. why do we need Entra? |
| |
| ▲ | yabones 4 days ago | parent | next [-] | | One of the bigger issues is the double-hop problem. It's both an important security boundary, and one of the biggest butt-pains about the protocol. https://techcommunity.microsoft.com/blog/askds/understanding... It works great within a single organization hierarchy, but becomes pretty painful for anything we'd consider "SaaS" | |
| ▲ | EvanAnderson 4 days ago | parent | prev | next [-] | | Kerberos doesn't have a good monthly recurring revenue "story". | |
| ▲ | jiggawatts 4 days ago | parent | prev [-] | | Kerberos doesn't work well on the web. | | |
| ▲ | zbentley 4 days ago | parent [-] | | Citation needed. Other than throughput/reliability risks posed by the revocation check flow (which I know aren’t the reason people don’t use Kerberos on the web, since the big auth providers’ SPOFiness in this area is way worse, as proven by countless outages induced by so-and-so rickety auth component failing bringing down a major provider), Kerberos’ adoption issues on the web have more to do with network effect and monetization than technical limitations with the protocol. | | |
| ▲ | gfody 7 hours ago | parent [-] | | seriously "kerberos doesn't work well on the web" is like saying "cars don't work well on the road" browsers could make it easier to approve domains for spnego (chrome already makes it automatic for enterprise accounts). the market just doesn't want real security, it wants to login with its facebook profile. |
|
|
|
|
| ▲ | rootsudo 4 days ago | parent | prev | next [-] |
| Oh man, I was close with this a few times as I ran powershell in different ISE windows and sometimes copied/pasted things over for different tenants, darn - it really seemed so obvious of an exploit! |
|
| ▲ | Sytten 4 days ago | parent | prev | next [-] |
| I recently had to deal with Entra ID for the first time to setup Microsoft OAuth for our site and my god why is it so badly designed. Just creating a tenant is a PITA and you get a default tenant you can't change without paying for Microsoft 365? Then you have subscriptions, Microsoft partners, Enteprise vs individual accounts, etc. All mixed with legacy AD naming and renaming, documentation with outdated screenshots, Microsoft Partners bullshit. |
| |
| ▲ | 7bit 4 days ago | parent | next [-] | | > Just creating a tenant is a PITA and you get a default tenant you can't change without paying for Microsoft 365? What exactly ist a PITA when creating a tenant? It's straightforward. And what do you mean by default tenant that you cannot change unless you pay? Nothing comes to mind where that would be the case. Are you sure you're not just using it wrong? | | |
| ▲ | Sytten 4 days ago | parent [-] | | You literally cannot change your tenant ID and the form by default picks a random for you. There is a hidden form I found on reddit that lets you pick a tenant ID but wtf. Also by default you can't create a tenant without an existing Microsoft account, which everybody acknowledge is a chicken and egg problem. | | |
| |
| ▲ | Propelloni 4 days ago | parent | prev | next [-] | | There ist a whole industry clustered around this FUBAR that makes its living by helping companies navigate this shit. It has small and big players and they have no incentive to tell you that there is anything else you could use. The monthly Service fee is too tasty. | |
| ▲ | 4 days ago | parent | prev | next [-] | | [deleted] | |
| ▲ | Kneecaps07 4 days ago | parent | prev [-] | | It takes like two minutes to create a tenant. Click Next a bunch, enter a credit card, you're done. And yes they have different types of accounts and methods of billing. Their customer base is probably in the hundreds of millions. People are going to want options. I don't really see the issue there. |
|
|
| ▲ | VoidWhisperer 4 days ago | parent | prev | next [-] |
| I feel like I remember a similar attack related to Entra ID from a while ago, although I can't remember exactly what it was (maybe [0] or [1]?).. I understand that this is a complex system, but I would be concerned with the number of relatively high severity vulnerabilities being found in it. [0]: https://securitylabs.datadoghq.com/articles/i-spy-escalating...
[1]: https://www.semperis.com/blog/unoauthorized-privilege-elevat... |
| |
| ▲ | mindcrash 3 days ago | parent [-] | | You could get into Microsoft's tenant with any Entra account. That's because Microsoft's own fucking developers don't even understand how Entra authentication/authorization works, and that in some/most scenarios you'll need to check if a account is actually authorized to enter a protected resource post-login (which you need to do within the Oauth login flow in the resource being accessed, nobody will do it for you). Something I already discovered by accident (and fixed, ofcourse!) in my own SaaS service at the time (with support for Entra B2B authentication) even before this researcher discovered the same at Microsoft: https://research.eye.security/consent-and-compromise/ HN discussion thread: https://news.ycombinator.com/item?id=44850681 | | |
|
|
| ▲ | malnourish 4 days ago | parent | prev | next [-] |
| I imagine this paid out quote the bounty; exploited, it's hard to think of a more damning security flaw. |
|
| ▲ | cr125rider 4 days ago | parent | prev | next [-] |
| Wow the keys to all the enterprise castles! That’s wild! |
|
| ▲ | jwpapi 4 days ago | parent | prev | next [-] |
| Was there a bounty? |
|
| ▲ | TavsiE9s 4 days ago | parent | prev | next [-] |
| Microsoft, Azure, why am I not surprised? |
|
| ▲ | curtisszmania 3 days ago | parent | prev [-] |
| [dead] |
