Presented at
DEF CON 31 (2023),
Aug. 12, 2023, 1 p.m.
(45 minutes).
This presentation will cover a complete exploit chain in Azure B2C, starting with a discovery of cryptographic misuse and leading to full account compromise in any tenant as an unauthenticated attacker.
Portions of this vulnerability have been released publicly, but several pieces were omitted to provide Microsoft time to remediate the issue and not put Azure B2C environments at unnecessary risk. New details in this talk include steps to reverse engineer and discover the crypto vulnerability along with details of a novel attack for crypto key recovery.
For background, Microsoft Azure B2C is an identity and access management service for customer-facing apps. Thousands of organizations use this service, including national/state/local governments, professional societies, and commercial companies. The service is also used in the public Microsoft Security Response Center (MSRC) web portal as the main method for researchers to disclose vulnerabilities as part of Microsoft's bug bounty programs. The full exploit chain was effective against the MSRC and would have allowed an attacker to enumerate details of disclosed but not-yet-patched Microsoft zero day vulnerabilities.
REFERENCES:
[1] Previous disclosure of portions of this vulnerability: https://www.praetorian.com/blog/azure-b2c-crypto-misuse-and-account-compromise/
[2] Discussion of encryption and signatures in JSON Web Tokens (JWTs): https://www.praetorian.com/blog/signing-and-encrypting-with-json-web-tokens/
[3] Azure B2C Configuration Tutorial: https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy
[4] What to Expect When Reporting Vulnerabilities to Microsoft https://msrc.microsoft.com/blog/2020/09/what-to-expect-when-reporting-vulnerabilities-to-microsoft/
Presenters:
-
John Novak
- Technical Director at Praetorian
John Novak is a Technical Director at Praetorian with a deep interest in cryptography, reverse
engineering, and embedded firmware. His evolution to computer security and hacker culture began with an undergraduate degree in mathematics followed by ten years of cryptography, security research, and exploit development at a previous employer. His current role at Praetorian includes conducting numerous security assessments for IoT devices, web applications, mobile applications, and (on occasion) cloud services.
Links:
Similar Presentations: