The question we asked ourselves was: given a certain amount of access in the on-premise Active Directory, can we compromise Azure AD as well? Account synchronization We could not obtain the flag by taking over his workstation either, as the person in question was out-of-office during the limited time-frame available for the assignment.įor some of the different flags we already obtained Domain Admin privileges in the network.
The CEO’s account also had Multi Factor Authentication (MFA) enforced, meaning that even if we did accomplish to obtain the password, we still wouldn’t be able to access the inbox without disabling MFA or using phishing. In this assignment, one of the flags was to gain access to the inbox of the CEO, which was in Office 365. In such tests, flags are defined that the testers will try to achieve during the test by escalating privileges and compromising business critical systems. This story started on an assignment for one of our clients, where we performed a scenario based penetration test. In this post we will focus on Azure AD Connect configured in Password Synchronization mode, but it is likely that the vulnerability also applied to other methods of authentication. With ADFS, the authentication is not performed in Azure but on a server on-premise, which becomes the authority for the Azure AD environment. The privileges required for this are similar to the privileges of Domain Controllers (who use the same protocols to synchronize between each other), making the Azure AD Connect server a high-value target for attackers. With password synchronization, the password of every account is synchronized from Domain Controllers on-premise and pushed to Azure. The two most common ways for this are via Active Directory Federated Services (ADFS) and Password Synchronization. Azure AD connect is a utility offered by Microsoft which enables this by continuously synchronizing on-premise data with Azure AD.
This way users can sign in with the same identity, and often with the same password, for their Azure resources. When companies use Azure, for example for Office 365, it is common to synchronize the accounts in Azure with the accounts on-premise. Azure AD Connect – connecting on-premise and the cloud Because of the way accounts are commonly configured, this could often enable an attacker to take over the highest admin accounts (Global Administrator) in Azure AD. This blog describes a vulnerability discovered by Fox-IT last year in Azure AD Connect, which would allow anyone with account creation privileges in the on-premise Active Directory directory to modify the password of any cloud-only account in Azure AD.
0 kommentar(er)
