Focus on source code security and collect the latest information at home and abroad!
Compiled by: Code Guard
Cybersecurity researchers have discovered an elevation of privilege vulnerability associated with Microsoft's Entra ID (formerly known as Azure Active Directory) application that exploits obsolete reply URLs.
Last week, Secureworks' Counter Threat Unit (CTU) released a report saying, "Adversaries can use this abandoned URL to redirect the authorization code to themselves, replacing the access token with an illegally obtained authorization code. The threat The actor can then call the Power Platform API through the middle-tier service and obtain elevated permissions."
The researchers notified Microsoft of the vulnerability on April 5, 2023, and the latter released an update a day later. Secureworks also released an open source tool for other organizations to scan for deprecated reply URLs. The reply URL, also known as the redirect URI, refers to the location that the authorization server sends to the user after the app successfully authorizes and obtains an authorization code or access token.
Microsoft mentioned in the documentation, "The authorization server sends a code or token to the redirect URI, so it is important to register the correct location during the app registration flow."
Researchers discovered that an abandoned Dynamics Data Integration app reply URL associated with an Azure Traffic Manager configuration enabled it to call the Power Platform API through a middle-tier service and tamper with the environment configuration.
In a hypothetical attack scenario, it could be used to acquire a sysadmin role for an existing service principal and send a request to delete the environment, as well as abuse the Azure AD Graph API to gather information about the target for subsequent campaigns. However, since the authorization code is sent by Microsoft Entra ID upon user login to a redirect URL hijacked by the threat actor, it is possible for the victim to click on the malicious link.
Kroll has disclosed a surge in DocuSign-themed phishing campaigns utilizing exploit redirects, allowing attackers to spread specially crafted URLs that redirect potential victims to malicious sites when clicked. "By constructing a spoofed URL that leverages a trusted website, malicious actors can more easily manipulate users into clicking on the link, tricking/bypassing web technologies that scan the link for malicious content," said George Glass, an employee at the company. Causes victims to be redirected to malicious sites designed to steal sensitive information such as login credentials, credit card details or personal data."
Code Guard trial address: https://codesafe.qianxin.com
Open source guard trial address: https://oss.qianxin.com
Recommended reading
Microsoft’s August 2023 Patch Day Multiple Product Security Vulnerability Risk Notices
Microsoft's July Patch Tuesday fixes 132 vulnerabilities: 5 exploited 0days and 1 unpatched
Microsoft denies 30 million customer account credentials were compromised
Original link
https://thehackernews.com/2023/08/experts-uncover-how-cybercriminals.html
Title image: Pexels License
This article was compiled by Qi Anxin and does not represent the views of Qi Anxin. Please indicate "Reprinted from Qianxin Code Guard https://codesafe.qianxin.com" when reprinting.
Qi Anxin code guard (codesafe)
The first domestic product line focusing on software development security.
If you think it’s good, just click “Looking” or “Like”~