New Video from @BlackHatOfficialYT: Exploring Vulnerabilities in Multi-Tenant Cloud Applications

In this video, Eric Woodruff, Senior Security Researcher at Sempris, explores vulnerabilities related to multi-tenant applications in cloud environments, particularly those using Microsoft Azure and Microsoft 365. Woodruff focuses on application administrator roles and principal services in Azure tenants, and how these elements can be exploited to gain elevated privileges. Woodruff begins by explaining the basic concepts of applications and principal services in Azure. He emphasizes that even identity experts often have a limited understanding of application registrations and principal services. He introduces the application administrator role, which is responsible for managing applications within a tenant but should not have the ability to manage other roles. However, Woodruff discovers that this role can be exploited to gain elevated privileges, which is a critical flaw. He then explains the process of impersonating Microsoft applications by assigning credentials to principal services and using these credentials to authenticate and obtain access tokens. Woodruff demonstrates how, using these tokens, it is possible to access APIs and perform privileged actions, even without the appropriate permissions. He identifies nine applications that support the OAuth2 client credentials flow, and among these, four have write scopes, allowing potentially dangerous actions. Woodruff shares his findings on specific applications like Device Registration Service, Viva Engage, and Rights Management Services, which can be used to manage roles, delete privileged users, and create new users. He emphasizes that these actions should normally be blocked for an application administrator, but due to flaws in the authorization mechanisms, they are possible. He also discusses the practical implications of these findings. Woodruff notes that many organizations do not consider the application administrator role as privileged, which can lead to exploitable vulnerabilities. He recommends monitoring suspicious credentials and using tools like Sentinel to detect abnormal behavior. In conclusion, Woodruff shares his interactions with Microsoft and the corrective measures taken to address these vulnerabilities. He stresses the importance of vigilance and continuous monitoring to secure cloud environments. For more details, you can consult Woodruff's blog at shortlink.ent.ms/unauthorized.