I Am Whoever I Say I Am: Infiltrating Identity Providers Using a 0Click Exploit

Presented at Black Hat USA 2022, Aug. 10, 2022, 3:20 p.m. (40 minutes).

Single Sign On (SSO) has become the dominant authentication scheme to login to several related, yet independent, software systems. At the core of this are the identity providers (IdP). Their role is to perform credential verification and to supply a signed token that service providers (SP) can consume for access control.

On the other hand, when an application requests resources on behalf of a user and they're granted, then an authorization request is made to an authorization server (AS). The AS exchanges a code for a token which is presented to a resource server (RS) and the requested resources are consumed by the requesting application.

Whilst OAuth2 handles authorization, and SAML handles authentication and as such Identity and Access Management (IAM) solutions have become very popular in the enterprise environment to handle both use cases. What if IAM solutions are vulnerable to critical remote attacks? They need to be exposed on the internet, trusted to guard identities and facilitate access to hundreds if not thousands of users and applications.

To begin with, I will cover the foundational use-case for IAM solutions and some past in the wild attacks (ITW) attacks with the extent of their impact.

Continuing, I will present the approach I took with the audit including the challenges and pitfalls that I was faced with and how I overcame them. The result concluding with an unauthenticated remote code execution as root by chaining multiple vulnerabilities on a very popular IAM solution used by several Fortune 500 companies and government organizations.

The vulnerabilities will be discussed in detail including novel exploitation strategies for bypassing strict outbound network access. Finally, a live demo will be presented with a release of functional exploit code so that penetration testers and network administrators can validate and remediate these critical findings.


Presenters:

  • Steven Seeley - Security Researcher, 360 Vulnerability Research Institute
    Steven Seeley, aka mr_me is a security researcher at 360 Vulnerability Research Institute. He is the "Master of Pwn" champion for Pwn2Own Miami 2020 and has also spoken at several conferences such as Defcon, HITB AMS, Bluehat and BSides Mexico. Currently, Steven is a 0day offensive security researcher focusing on web/application security impacting cloud environments. He has found over 1500+ critical and high impact vulnerabilities in software affecting vendors such as Adobe, Microsoft, Oracle, VMWare, Apple, Cisco, and HPE to name a few and in 2021 had successfully compromised the Microsoft Office 365 Cloud using a 0day vulnerability he found. Steven also teaches an advanced web hacking class known as "Full Stack Web Attack" where he covers the methodologies in technical web application security research with a focus on server-side vulnerability discovery and exploitation. Need more information about Steven? You can find him on Twitter @steventseeley and his blog at https://srcincite.io/.

Links:

Similar Presentations: