Recently, two security researchers, Ioannis and Klemen Bratec Kakavas, announced their discovery of a SAML service vulnerability in the Microsoft Office 365 platform, this vulnerability can be exploited for cross-domain authentication bypass, eventually all 365 platform affect the Federal domain.
An attacker could use this vulnerability to break limits access, buy windows 10 product keyunauthorized access to Office 365 of the affected user account information, and through which to access their mailbox and stored in OneDrive (Microsoft’s cloud storage services) file on, and so on. Currently the vulnerability Microsoft temporary fixes.
SAML security assertion markup language, the English name is the Security Assertion Markup Language. It is an XML-based standard for different security domains (security domain) exchange between authentication and authorization data. Its important role in cross-domain single sign on. SAML implementation aimed at after the user is authenticated and can access resources from multiple application service, no need to authenticate (for example, enter the account and password again), and SAML is the process of “middleman”.
Web single signon (Single Sign-on,SSO)
Single sign-on is a technique used to facilitate user access to the network. As mentioned above, when the user logs on to a registration, the authorization can gain access to the system and application software, then you can switch applications, do not have to repeatedly enter user names and passwords or identities.buy office 2016 product key Under these conditions, administrators do not need to modify or interfere with the user login to easily implement the desired security control.
For example, we very often logged on some website, found that in addition to registering a new account, can also be applied by other accounts (such as QQ, microblogging, etc) to sign, which would use WEB single sign-on technology. Because from the point of view of users, some users of the Web site is actually a duplicate of, so for this part of the user, and how to access the Web site a, without authorization to visit the Web site B,web single sign-on technology is a good solution.
A number of important concepts in the SAML
We know from previous simple detail in the chapter on the principle of focusing on SAML 2.0. At present, the SAML standard, the most important part as follows,
1, statement (Assertions)
First, the statement is an XML structure, which contains user information packaged in a statement. Two of the most commonly used statement types are:
(1) the certification statement (Authentication Assertions), contains information that a user has found its identity;
(2) property statement (Attribute Assertions) that contains specific information about a user (such as e-mail addresses, names, and so on).
2, the Protocol (Protocols)
SAML Protocol describes certain SAML elements (for example, statement) is encapsulated in a request and how the system is responding to the request, and presented when you log on or log off, SAML entities (identity provider and service provider) must follow the rules. So to speak, between SAML Protocol defines a system entity shipping and handling agreement collection of SAML statements, which after the authentication request protocol referred to above will be introduced.
3, binding (Bindings)
SAML binding describes how a SAML message is mapped to a non-SAML-related message formats and communication protocols. For example, we are in the process of authenticating service providers (IE users to access application resources) need to communicate with the identity provider to verify, so how to transfer messages, extract the needed information, the binding is involved. When you need to remove the URL from an HTTP GET request in the query string,cheap windows 7 product key the HTTP redirect binding (HTTP Redirect Binding) defines how the URL is formatted to conform to standard SAML message format. In the process of communication, SAML request through SAMLRequest passing query parameters and compressed, then based on URL and Base64 encoding and decoding.
4, the identity provider (Identity Provider)
After SAML identity provider authorization, and holds information about the user, the identity provider can give users issued a statement, enabling it to the identity provider’s actions within the application permissions.
5, service providers (Service Provider)
Recipient of the service provider is a SAML message, which accepts user information from the identity provider, open and in line with the user’s access to resources.
Web browser single sign-on (SSO) example
You can see a simple example based on Web browser single sign-on framework, we can use this example to more deeply understand SAML. First, in the single sign-on in the process, service providers use the HTTP redirect binding, and the identity provider using the HTTP POST binding. Which part of the whole process involves the following,
1, users of the browser
2, the identity provider
3, service providers
From the diagram we can see on the interaction between the three,
First, in this case, the single sign-on process begins with a user tries to access a protected resource (or in simple terms, can be understood as a request to log on). Service provider has to allow or deny log on joint function and real time to redirect the user to a service interface in order to choose their identity provider.cheap windows 7 product key By automatically matching option enables the service provider know and trust the identity provider of its choice, then the provider will create a SAML authentication request
Requests for information, there are two important parts need to know,
1, encoded in the Issuer (issuer) represents the entity ID of the service provider, in the form of a URI (uniform resource identifier), like a bunch of identity string. Issuer (issuer) contains information about the service provider requests the user’s authentication.
2, IssueIstant, which contains information that reflects when the service provider issues a request, the generated ID internal identification, to match the issued SAML response after the request is received.
The second, and then the user’s browser is redirected to the identity provider is bound URL,SAML Authentication Request (SAML authentication request) through a set of query parameters in the HTTP GET (after request for information is compressed, and then after passing base64 and URL encoding)
Third, after the SAML request is received from the user’s browser, the identity provider sends a request checks verify the identity information service provider, and after successful authentication service provider identity, verify the contents of the request, prompt the user for login authentication (enter your account password). If the user authentication is successful, the identity provider generates a SAML response
MIICajCCAdOgAwIBAgIBADANBgkqhkiG9w0BAQ0FADBSMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRcwFQYDVQQDDA5zcC5leGFtcGxlLmNvbTAeFw0xNDA3MTcxNDEyNTZaFw0xNTA3MTcxNDEyNTZaMFIxCzAJBgNV BAYTAnVzMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQKDAxPbmVsb2dpbiBJbmMxFzAVBgNVBAMMDnNwLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZx+ ON4IUoIWxgukTb1tOiX3bMYzYQiwWPUNMp+Fq82xoNogso2bykZG0yiJm5o8zv/sd6pGouayMgkx/2FSOdc36T0jGbCHuRSbtia0PEzNIRtmViMrt3AeoWBidRXmZsxCNLwgIV6dn2WpuE5Az0bHgpZnQxTKFek0BMKU/ d8wIDAQABo1AwTjAdBgNVHQ4EFgQUGHxYqZYyX7cTxKVODVgZwSTdCnwwHwYDVR0jBBgwFoAUGHxYqZYyX7cTxKVODVgZwSTdCnwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQByFOl+hMFICbd3DJfnp2Rgd /dqttsZG/tyhILWvErbio/DEe98mXpowhTkC04ENprOyXi7ZbUqiicF89uAGyt1oqgTUCD1VsLahqIcmrzgumNyTwLGWo17WDAa1/usDhetWAMhgzF/Cnf5ek0nK00m0YZGyc4LzgD0CROMASTWNg==
Four, then guide the user’s browser in response to an HTTP POST request to the service provider.windows 7 pro product key Which part is you need to know, as follows.
1, InResponseTo, contains an ID value, the ID when the previous service provider sends a request ID to match the internal identity (against replay attacks);
2, IssueIstant, NotBefore and NotOnOrAfter defines SAML response (and statements) is valid, but also to avoid replay attacks;
3, the statement also contains a Isssuer field, which has a URL, so service providers can confirm the identity of the identity provider (compliance with the previous request specifies the address of the identity provider);
4, AudienceRestriction part defines the statement can be read from the service providers, and other service providers do not have permission to read.
5, Subject to identify authenticated;
Part 6, AttributeStatement, and contain user authentication information, which also includes a variety of attributes and their values;
In this statement (including all the SAML response) is based on the XML signature (XML Signature) to protect its integrity check had not been subjected to tampering in transit.
After five, receiving the SAML response, the service provider can verify its contents and structure, and verify the signature, and then passed the authentication of users, assign the user a Cookie, started with a user’s Web session.
Where the problem lies?
Here, you may wonder,
1, service providers how to know and trust the identity provider?
2, how to know and trust the identity provider service provider?
3, the identity provider how to sign the Declaration?
4, service providers in how to verify its integrity after receiving a statement?
In fact, prior to the validation, the identity provider and service provider to trust each other. In order to meet the request and response interaction, cheap windows 10 pro keys identity and verification of information, need to exchange meta data between the two. We can understand here’s metadata contains a public key, corresponding to the identity provider is the private key used to encrypt the signed statement, each entity (which can be a user, service provider or the identity provider) the URL binding, and algorithms that support or responses, and so on. So based on this starting point, there are two ways you can let them get each other’s metadata:
1, the two sides exchange meta data in a secure way, establish trust relationships;
2, or by joining a federal (Federation), the delegation of this trust relationship to third parties. Federal operator will then set tasks, collected from all participating entities (identity provider and service provider), meta data, and publish the data. Each identity provider and service providers submit their metadata to obtain information about other entities participating in the Federal.
How Office 365 SAML interaction works?
Office 365 platform service provider uses a WS-Trust and SAML 2.0 Web browser single sign-on framework of hybrid. Office 365 platforms supported by WS-Trust and the SAML 2.0 Web browser single sign-on access in two ways, buy windows 10 keybut between the two are not alone.
In fact, WS-Trust provides a security token service, such as token is issued (Issuance), renewal (Renewal) and terminate (Cancel). SAML service provider will transmit information of the SAML 2.0 standard, use the token (token) conversion service, inside the SAML information into WS-Trust information. Because the token transformation services, so the vulnerabilities found in the SAML service provider, will also affect WS-Trust single sign on.
However, for simplicity in understanding when this Office 365 service providers, can be considered to be using SAML single sign on.
But it needs to be emphasized is, for the account of a SAML authentication, Office 365 does not support real time resource allocation, for use for single sign-on user account, you need to have tenants in Azure AD. The require Directory synchronization or by users in the IDM system configured with the help of, but this is beyond the scope of this paper,microsoft office 365 activation key pass it over here to talk about.
From an identity provider to Office 365 service providers, need to release properties in the request message and to match information, including the following two:
1, the UPN (User principal name) user principal names, including IDP (identity provider) Email the name and other information;
2, ImmutableId, the user’s unique identifier, stored in the Subject of SAML statements.
Next, we take a look at Office 365 platform login,
Process begins with user access Office 365 portal, then be redirected to https://login.microsoftonline.com/login.SRF, while the response form is as follows,
Type the user name and press the “TAB” or clicking on the password input field, the page will be building an XHR (XMLHttpRequest), and in order to verify the user’s domain (can be simply understood as the user ownership of enterprises) and tenants of Office 365 platform (which can be understood as an enterprise rental service) to match.
GET [email protected]&api-version=2.1&stsRequest= rQIIAbNSzigpKSi20tcvyC8qSczRy09Ly0xO1UvOz9XLL0rPTAGxioS4BMruuVuZ2Fh77Wj-e6KxLMF2FaMaTp36OYl5KZl56XqJxQUVFxgZu5hYDA2MjTcxsfo6-zp5nmCacFbuFpOgf1G6Z0p4sVtqSmpRYklmft4jJt7Q4tQi _7ycypD87NS8Scx8OfnpmXnxxUVp8Wk5-eVAAaDxBYnJJfElmcnZqSW7mFVSU00tTCxTUnRNkpOTdU2Sksx0kwxSzXRTzZMtTC1ME00Mk1MOsGwIucAi8IOFcREr0C-3A6ZLrn182Gt-tWV-vVlpwi5OW-L8Yl-SWJSeWmKrapSWkpqWWJpTAhYGAA2 &checkForMicrosoftAccount=false HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept-Encoding: gzip, deflate, br
Referer: https://login.microsoftonline.com/login.srf?wa=wsignin1.0&rpsnv=4&ct=1460721662&rver=6.7.6640.0&wp=MCMBI&wreply=https%3a%2f%2fportal.office.com%2flanding.aspx %3ftarget%3d%252fdefault.aspx&lc=1033&id=501392&msafed=0&client-request-id=3a47de76-3c34-4a3b-b883-fdc88176603d
If the domain has been known and configured for federated identity, the user’s browser will be directed to build an HTTP POST request to the identity provider URL HTTP-POST binding,cheap windows 10 pro keys specific information is as follows,
Users in real time on the identity provider to authenticate, as follows,
Then the browser will be directed to create an HTTP POST URL returned to Office 365 HTTP-POST binding. Through the SAML response containing the statement. Response of a simple example as follows,
Removed for brevity
Removed for brevity
Removed for brevity
Removed for brevity
This is where my ImmutableId is
The Subject property in a statement, ImmutableId contains a unique identifier, as follows,
Following is ImmutableId
In the property statement, containing Azure AD already has an account with the user’s UPN (user principal name) matches the IDPEmail of information, as follows,
Here, the SAML response, and SAML can also be declared as being digitally signed.
About SAML NameID
First of all we can from the above statement noted that Office 365 SAML service provider ignores the Subject statement, although ImmutableId value that contains the user’s unique identifier in Azure AD.
Names and identifiers, you can use SAML 2.0 < nameid > embodied elements, often used to identify the subject of a SAML statements. Name identifier can be any character, which is usually an email address or computer name.
From an attacker’s point of view, in fact, does not validate the accuracy of the NameID, which makes things easier is, ImmutableID usually comes from AD objectGUID.
In the identity verification process, the IDPEmail property value to match the UPN of the user in the Azure AD, which rely on the information in the Declaration can be achieved. But it will also be included in the Issuer (issuer) of information (although after signature verification), so according to the foregoing understanding, normally not related to an identity provider is unable to other domains (or tenants) create statements for all the users?
The answer is no.
Turns out (in the course of this exploit), and service providers to use the statement of Issuer (issuer) just to find a matching certificate, identify the SAML response or the signature, but it did not really make any checks on the value of the IDPEmail property. This basically means that you can declare, by an identity provider is a statement to authenticate user identity provider b. To access domain b can be achieved of resources.
How to exploit a vulnerability mentioned above?
When the vulnerability is verified, we need an Office 365 tenants as a connecting Office 365 and SAML 2.0 identity provider platform. We also need to have a basic Active Directory instance and SimpleSAMLphp (SAML 2.0 service provider and identity provider functions PHP implementation, Shibboleth 1.3 and 2.0 compatible) as the identity provider.
First, set up another organization, in this test, we play the role of victims. Contains the EntityID and is different for the new Office 365 trial tenants, we also has an extra instance of a SimpleSAMLphp.
We needed to test the environment is as follows,
1, first of all, Office 365, by default someorg-attacker.com as the identity provider
2, then, Office 365, by default someorg-victim.com as an identity provider.
Next, we add user accounts to the someorg-attacker directory and see what happens when we try to log on. In the AD (Active Directory) adds a new alternative UPN suffix, and then use built-in tools to add new users,
Entity users under the following directory for someorg-victim users,We can see that with a new entity users in on the injured party.
Next, the validate our findings. And validation steps as follows,
1, we use the [email protected] account (more than two accounts, any one of the user directory) as the user name, and then the browser will be redirected to someorg-attacker identity provider for authentication;
2, when we sign in on the real-time authentication of identity provider, we use previously created in the someorg-attacker directory with the injured party domain name account (such as [email protected]) for login authentication, and then successfully completed the identity verification process;
3, then we will see what the problems are, as indicated, after validation by the identity provider, Microsoft’s login page will prompt an error message, but otherwise there are no other special tips, and disposal. And in the end, we also “smooth” logged on as [email protected] came, and has permission to access the resource someorg-victim.
For such cases, we do not know the happy (because it validates our discoveries) is concerned (because the scope of its impact).
Affected users include,
3、Georgia State University
5、Santa Clara County
6、City of Chicago,IL
Vulnerability detection methods
We can also use the following query, verify that a field is set to join the Union
Such as HTTP GET request checks if a domain is admitted to the Union, and will return a JSON response,