The Wide World of Consent - Jonathon Everatt | BSides Cape Town 2023

hello everyone my name is Jonathan Everett I'll be talking to everyone today about the wide world of consent now the reason the talk is called this is because I was told let's talk about consent will be needlessly inflammatory and so we went with this name instead just a little bit of a background about who I am um I was born in jobber and I went to Parktown boy jobber then I promptly went to the ocean and studied at ucct um while I studied at ucct I made myself many promises to not leave leave the ocean um to not go back and live in jobber until I got a job offer in jobber and then went

straight back to jobber um where I'm currently a cyber security consultant at MWR cyers SEC and I'm lead of the application uh web application service um and then just a side note I'm an ocean Enthusiast stuck in a landlock city it does make my hobbies a lot harder than I'd like it to be um scuba diving in dams isn't the same as surfing cool um so just a recap for anyone who's not very familiar with fishing um in the beginning there were two types of fishing and most people are actually very familiar with this even if they don't know it by name but the first one is credential fishing right so a trustworthy stranger on the internet the

reason they're trustworthy is because they're on the internet and everyone on the Internet is trusted um but they say here is a link to safe.com uh please log in and use your credentials and then do whatever you need to do then they skim your credentials and they log in and make payments on your behalf um the second one is payload fishing right another trust exchanger we trust them because they on the internet hey please download my malware or sorry my save files from safe files.com um and just to make sure there's no authorization problems run it as an administrator um and you do that and then they have a really good Christmas and you don't have

the best one and now there's consent fishing right so now we're a little bit more wisened and we don't trust strangers as easily we know our endpoints that we trust um endpoints like Microsoft online so here's a stranger saying hi please give access to my give my application access to your email inbox um there's a lot of trustworthy stranger spam going on and I want to clean that up so you don't get fished or anything like that um you're going to legitimate Microsoft endpoint and just give me the access I need to um to clean up your email inbox um and then once again you get fished for a third time and you just give up on

the internet so the short of it is um the short of consent fishing is a malicious application makes a request to an identity provider to have specific permissions granted over a user's account the user then consents to these permissions for the application which allows the application to perform actions on behalf of the user within the restrictions of the scope of consent um a couple important things here an identity provider is a trusted third party and for the purposes of this talk we're going to be using Microsoft and Azure um and on that note I do know Azure ad became entra ID but it was Azure ad for far longer than it's been entra ID so if I say Azure ad just think

I'm saying enter ID um and we'll look at all of these different points as the talk goes along and you'll understand um why I phrased it like this right so just couple Basics here for oor so o 2.0 is a very useful protocol um but it's used for authorization open ID is used for Authentication and obviously we all know that authorization is distinct from authentication where authentication is the process of proving your identity and authorization is the process of associating privileges to someone who has proven their identity um so here we just have a I'm suddenly getting louder um here we just have a quick diagram as to what it looks like um for from the users's perspective

on this kind of flow just so that we are all um on the same page here so pretty much you go to a web application the web application says hey I need access to your account on Microsoft so they redirect you to a legitimate Microsoft owned domain microsoftonline.com um and it's very important to note that this is your legitimate Microsoft login page I'm not going to show you the Microsoft login page I think we've all seen it um but once you get there um you log in if you don't have an active session and then you get a consent prompt which you saw earlier and you'll see later again um saying will you give the following

permissions to this applic that is requesting over your account if you give those permissions you will be redirected back to that application with the code the application in the back end can then take that code and get back an access token um to perform actions on on your behalf it's very important to note it's getting an access token here reason it's very important is because it's not getting anything like a session um it's not something that you can revoke it's not something that password change will um invalidate because imagine if every time you change your password you broke all of the Integrations you had with your your apps so this is um and I will

keep stressing this this is legitimate functionality this is working legitimate functionality and attackers are doing what they love to do best they take very useful legitimate functionality and they use it in illegitimate ways to have a really good Christmas um and so when does this become consent right so Scopes are requests for privileges if I want to read your email I'm going to go for the mail. read Scope when a user says the application can perform those actions that is the user giving consent right so this is good as I said the ool framework is a legitimate framework it is very useful and it's much better to have it than not to have it right so some of the

really good things we get out of it is we allow granular control of permissions over our accounts to be given out to third party applications now it's better to only give me access to reading your emails than giving me admin control over your entire account but I mean if you want to you're welcome to give me that admin control I'll send you an email add address you can send the creds to um and the second one is you don't have to disclose your credentials right you're giving access to third party applications giving them control over your account and you're not giving them your credentials because even though everyone in this room definitely uses a different password for

every web application they have not everyone does that anyway so how do I get consent right um you ask that's what you really need need to do but um from a technical perspective uh we need our malicious application so what I have here is a trustworthy domain um with DNS to an ec2 instance I'm not going to go through all of that um there's a bunch of tutorials online um and then I registered an application in Azure right remember Microsoft were focusing on Azure um and then if you look on the right yeah you can see that I'm asking over here for a multi organiz multi-tenant or multi-organizational um application so I can fish other people

um and then just my redirect URI is um back to my attacker control domain uh trustworthy domain. [Music] L and then on that note when you get here something I forgot to mention is obviously you need to get a secret right you get a secret like a basically a password um so you can prove your identity when requesting the access token then once you have everything set up um you get a page like you see over there um with an application ID your tenant ID all of that stuff all of that stuff is public information so it's fine for me to show you guys um because the application ID you can see on the right

it goes into the link um that you use for the consent Grant right so if you think about it every single application that's registered in Azure needs their own unique endpoint so it's not doing a different domain URL PA for each application it's passing a different parameter and that parameter is your application ID so it is public and then just in this link you can see what you need here is your application ID and then the Scopes you're requesting um the code here is the type of overflow we're going through there is a bunch more than what I'm doing today there's too much to do in 45 minutes um yeah and then you get the users to click

on your link right much easier it's a Microsoft link so please friend click on my link um you will be rich I promise right classic internet scam Oh wrong one yes um and then we get over here we get to the consent prompt so I could have expanded each of these ones that you see over here however this is the default consent prompt that you would see now important thing you have a really nice Microsoft badge at the top that makes fishing a lot easier um but you see my trustworthy application is unverified we'll talk about that more later basically it means I'm not a partner of Microsoft I haven't joined their cloud partner program um and then

the application may be risky for the same reason also I'm asking for consent um to create users in their tenant um so it is actually a risky application um yeah so there's some interesting points here right so not anyone can grant um consent to any scope that would be a bad idea right imagine if your normal users could Grant full control over your Azure tenant um I wish all security teams luck with that scenario um but some privileges need administrator approval and administrator approval can only be gr granted by a global admin or a privilege role admin it's important to note that every scope that requires administrative approval has to go through these guys there's

aren't tear to administrative approval it's this or nothing and there are a lot of Scopes um several hundred so just check out the Microsoft um permissions if you are interested in it um and because the demo I am doing is going to be with an ad administrator scope I don't want everyone just to focus on those Scopes because I mean it is the most fun to be an admin right if you gain admin access to a system that's when you have the best time but that doesn't mean admins are the only people that matter so here are some fun Scopes that I saw that uh threat actor may want to look into um and then we when

performing a consent fishing attack right so online meetings read write uh just consider if an attacker had to watch all the meetings you've taken part in firstly you'd feel sorry for them because there's a lot of meetings um but just think about what information is discussed there and what information they could gain access to people. read so just read all the contacts of a user um get legitimate emails to fish against infer internal relationships all of that stuff uh can be very useful mail read write shed uh crud operations on your mailbox and Shar mailboxes um then mail send shed if you don't want to go for the read write um sending mails just makes fishing then easier because you

have an internal mailbox that you can then fish from user read basic all so this is read basic information for all users um and then analytics. read for those um internet-based um corporations who really want to sell our data um they can ask for our consent this time before they sell it um but I would say the rule of thumb for granting consent is if you have full control over the applic the resource that you're granting consent for um you can likely grant that consent if you don't have full control you most like need administrator approval if there's something that's kind of split between you and a different role that's probably going to require administrator approval

even if both rols aren't admins right so once we make that request once the consent prompt has happened we get back the code um at which we can then trade to Microsoft um using this piece of code here to get a nice um access token now a couple important things here that we'll see later is what I'm using here is a conf confidential client application basically what that means is I'm using a secret to get a code back and you'll see why that's interesting a little bit later and then I get my access token back and with that access token I can start profiting um and we can use that access token to perform other actions

remember this is legitimate functionality I just explained to you none of this is tooling or anything like that the way I started doing this was I Googled how do developers um integrate with Azure and then that's where I started um and we just have a little demo so we can see how it actually goes if it plays it's playing yeah so you can see I just generated myself an endpoint um it's a lot easier to fish yourself so I pasted that into um Firefox sorry forgot my browser and you can see the logs for my web servers over here right now I'm logging in as Jay Frederickson side note um J frederickson's not jonno it's James

Frederickson um a lot of people seem to confuse that one uh here's the consent prompt here I am asking for administrator approval so I do have to consent on behalf of my organization this is the only time someone else can grant consent for you um and here I get the code back which is also in the logs you can see at the bottom left bottom left um once I take that code and I put it into my very secure um python script that definitely doesn't have a password in it you'll see it now there you go um the pass has been deleted don't use but if you do remember it uh well done um I take a while to type because I

didn't plan well enough for this demo um and then we run the code and basically what we'll get back is we'll get a scope back U and we'll get specifically the Scopes we ask for back now I want to bring everyone's attention back to what I said at the beginning you perform actions within the restrictions of the scope you requested for so I requested for directory read write all which allows me to write new users to the directory but it doesn't necessarily allow me to assign roles to those users so you'll see now when I create a user with my python script um if I type faster then um when I create that user you

we're going to get an error on the second one the reason for that error is because the role assignment failed but I'll still be able to log into the user and um Lo log in as that user um so a good thing Microsoft does actually Implement authorization to some

degree sorry this is a good time for me to take a drink um I almost feel like theme music should go while I have these going I'm not singing for the crowd though that would not be fun for anyone and but basically what we see here is the user I created um a trusted friend this is the easiest way to make friends I can confirm that um I'm now logging as that user onto the tenant that I just created um but they don't have a role associated with them and because it's the first time I'm logging on as them I do have to reset their passwords I made it secure I promise that's not the

password either cool um so story of the logs what do the logs tell us do we get all the logical information okay I could have gone with more groans but you know we try I promise there's at least one more pun in my slides um so yeah we see the main logs in a whole bunch of different places um and they're listed there basically anywhere where there's audit logs for any party involved um you can see them so the logs are you see above basically I granted consent to an application that's really great then if you expand them you actually get the useful information about who granted consent to what scope so these logs are

good and I'm going through them quickly because they are good you have everything you need in them however when we do stuff such just create a user the logs get a bit worse um so you can see here that my application did perform some actions it created a user but then when I assigned a role to that user and this is a different set of logs because the role assignment actually worked um it actually defaults back to the global administrator who gave approval to the application if you do it outside of privileged identity management which I guarantee you right now if you a sock sees that they are rabbit holding on the global admin not the um malicious

application so there are some misleading logs in these um and they can be hard to deal with but if you know that this is actually what happened and you expand those logs you look into them you can tieb back that story it just does become a lot harder especially when the email you get it says the user administrator um was assigned to the com the malicious user by the global admin not by the application so couple uh red herrings that you'd have to deal with which is why it's important to know that that these are some of the niche cases people have to deal with um but yeah so the logs are mostly there for this type of

consent fishing which is good to know um and we can fix it not really um not realistically not in big organizations uh the easiest way is you only allow admins to review consent however if you have thousands of employees that's thousands of consent requests they may have to review it's not really realistic so the bet a better defense as always for fishing is user awareness what most people will end up using is the middle one it allow um consent to verified applications and unverified applications within your own tenant that way if one of your users gets fish from an unverified application you've already been compromised so that's at least not the entry factor and then the one you

shouldn't use is the one at the bottom which is the one I did use which is allow anyone to consent to anything then as I said you can join the Microsoft partner Cloud partner program and you can go from being an unverified trustworthy application to having a nice Blue Tick that just makes everything a lot easier I haven't looked into how hard this is to do I imagine with Microsoft just a lot of documentation and it's not quite is not fun um it's easier for thread actors to actually just compromise people who have access that you just need your tenant to be verified itself and you need to have the ID of the partner you verified against

um when you create the application and then it becomes verified and then the most important one for all types of fishing is user knowledge right reading content prompts knowing this exists and knowing this could be bad and also knowing what to do when they make a mistake we all make mistakes and we all mess up all the time for me at least um so when you make a mistake it's important that they know who to go to and who to talk to so that they can um sort out the issue right so more practical uses for these kinds of attacks explained in the theoretical context so the obvious use use case here that I'm going to go over quite quickly

is just external fishing we have an unverified applic that we're trying to fish into a company with um and we have the specific Scopes we want to use to get in it's the most basic version of consent fishing um and it's the easiest to do as well if you want to actually have a verified application don't go through that whole process of signing up to Microsoft and all that stuff now I'm not saying you should do this but if I was the threat actor i' just compromise someone who's verified and use their attendant to fish in you can also use third party trust making fishing a lot easier because unfortunately we just un fortunately we just don't trust

strangers on the internet anymore it's not like it used to be um and then now we have a nice very complicated attack scenario that I enjoy using right so you've at this point compromised a web application web application was vulnerable to seq injection rce whatever you want it to be you're sitting in the DMZ the DMZ is well created so you can't actually get into the corporate environment um but on the DMZ you're using an application that has um a registration Within Azure you don't have access to Azure at this point but there is an interesting thing Microsoft lets you do you can add arbitrary Scopes to the um endpoint that you go to the consent

prompts with and that you don't register those Scopes anywhere so what you can do because you're sitting on the web app that receives the code back which would also have the secret on it is you can add arbitrary Scopes to the link and if you can get internal users to click that link or external users who use this application you can then gain whatever Scopes those are you can request the JWT as this application and you can use it as a stepping stone from a DMZ compromise into the Azure Cloud network if you can't get onto the corporate Network um so and to be honest this isn't really something they can fix easily apart from having you assign the

Scopes to an application registration when you create it I imagine that can get tricky with specific apps that have a lot of different functionality associated with them um but it's a nice pivot from DMZ on onto a cloud environment when you're stuck on a red team engagement but and this is the new part so I did talk about this at hexcon this year and I did speed up that first half um so that we can get to this part now what if we could get admin Scopes without admin consent right that would be dumb and Microsoft would never do something like that well rather than make our own application which is hard then we have

to get people to trust us we have to think of really good names which is actually one of the hottest part part of this coming up with really good names for demos trustworthy domain took me a while um what if we just impersonated an application what if we took a legitimate application that's done all that hard work for us and we just impersonated that instead say for example oh not that FL um before I tell you what that was um as you can see I switch the slides around to my head I'm going to give you guys some more background so do you remember how I said confidential client application is an important thing to

note so that's one of the flows we can go through that's more secure it has a password that exists for applications where the client side or the side that's not requesting the JWT um is on a server that is controlled by a company it's trusted the public flow is the other flow that's when the application requesting the JWT is on a server not controlled by your company it's client side so it has to be untrusted right so what is untrusted well mobile applications are untrust are untrusted in in appsec we say everything client side is untrusted desktop app apps are untrusted and browserless apis are untrusted um so all of these have to use the public authent um

Public public client flow sorry it's a tongue twister there um rather than the confidential flow and that is correct um this is actually correct and I fully agree with this this is in the O 2.0 spec um you can't have a password on the client side because the client side is untrusted and any any password you have there can eventually be compromised by an attacker so this is the correct way of doing this and once again we are using legitimate functionality and we're just using it for illegitimate means so the application I started to Target and because we're my we're targeting Microsoft here um it's a desktop and a mobile application um that has to authenticate so it is Office 365

because I thought if I'm not a CEO yet I may as well use learn how to use XO on PowerPoint um so this is a perfect one to Target obviously it has to flow the follow the public um client flow because it's hard to keep saying that but because it's a client side and it cannot be trusted so this is correct they did it correctly but then they let you do it yourself so the flow okay you can read that better than I can so the flow we're going to follow here is you make a request to Microsoft saying I want to onboard a mobile device right Microsoft says sure thing if you want to onboard a

mobile device here's a unique code put this code into the device login endpoint um and then just confirm it's you so you have to log in and go through MFA and all of that stuff and then once you confirm it's you then they're like that's great here's a JWT right notice how there's no secret being involved here there's no verification um and that's because there can't be because we can't have a secret because it's a client side application and then once you get that JWT you can go and profit um so here is another demo of here we go of a script that I kind of wrote manipulated made to do what I wanted it to do um I will be releasing

this in the next couple weeks but basically we go to the device log on endpoint here we take the code that was given to us by Microsoft we pass it to that endpoint and we log in as the J fredericksen user now we can see here can I pause this I can pause this this is very important right are you trying to sign into Microsoft Office yes I am and if I'm it and I call up a user and I say hey your Microsoft Office does it feel slow to you or is your Wi-Fi feeling a bit slow today it's always feeling slow to users so they'll say yes and we can fix it this way and

then when I press play we continue because we're trying to sign into Microsoft Office thank you for signing in and you'll see on the left a full JWT comes out I was uh polling in the the background Microsoft to get that JWT and then we pop that into JWT doio this isn't really client confidential so I can't put it there um I did consider not putting this part in just because I thought I'd get some FL for it but we get some really interesting Scopes here um okay it's easier to read here um so here we can see all the Scopes I have listed um and on the next slide we can actually see them

easily so these are all the Scopes we get and these are all the admin Scopes we get every scope on the right um got to check left right um requires admin admin approval right so you got really really bad SC Scopes to get like directory read all files read all but all of these Scopes make sense for office to have right office needs to be able to read your files it needs to be able to read your emails it needs to write to them as well and this looks really bad and I'm trying to make it look very bad um but it's actually not as bad as it seems it's still bad um you're not all powerful right you can do

what Microsoft Office does but Microsoft Office can't do everything it can't create users for example so even though you have access to specific Scopes office itself is not authorized to perform API calls on those Scopes so you do need to plot out a path of functionality that Microsoft Office can use um to further compromise the tenant you're targeting however you can do what Microsoft Office can do which is a lot right it's got Excel it's got PowerPoint it's got word and those are three fi three applications that have file formats with macros that you can then change to suit your own personal needs so it's a given and a take right they have to use the public client

authentication flow um because this is to spec but it does allow a more attack surface um here one note that I forgot to mention when going through that flow is the code's only valid for 15 minutes does make social engineering harder because we will have to talk to people which I know none of us like to do um but rather than sending an email and hoping that they're going to get back to you within 15 minutes most likely you have to be there physically or you have to give them a nice phone call um and then you say hi your it team said you have word problems um but in those 15 minutes you can gain access to some very

important Scopes the biggest difference I would say using this versus using the first attack that I I showed the team um is the fact that you can control shared files right and the reason that's important is because remember how I said Microsoft does authorization they do it and they do it properly so you can't Grant permission over other people's files you can't Grant control over that with your consent even if you have control over it because you don't own the file if your office you can grant control over it if you have that level of privileges even if it's owned by someone else because office can do that it has that functionality and it can

perform the actions so it's very useful based on your attack path to know that this exists and to know that you can use it or abuse it right so now we have another story of the logs right I wouldn't make the same joke twice um sorry I think I'm funny as well [Music] um so do we get useful logs no that's that's what we get that's it we get a log on because you're logging on that's all we have right the indicators of compromise you may have here as a sock is IP address and location it says you logged on it says you logged on as a user who logged on and you logged on to Microsoft onto

Microsoft 365 it's exactly what we did is legitimate functionality it is impossible to point this as a um cause of in entry point of compromise into a tenant because if the attacker is smart and your user say work from home and go to coffee shops you're never really going to know if this is them at a coffee shop or if this is the attacker so there aren't logs for this one and it's really difficult to actually get through um I don't have a solution for this I was shocked when there was only one log um it's not great but also this is hard fishing to do um and that's why it's really important to have user

awareness for those kinds of things to know that they shouldn't just randomly log into Microsoft endpoints um and when someone calls them and says hey I'm it to fix office please just verify that it is actually it um and is there a fix no not really there's not one either this is legitimate Microsoft functionality this is how you log on to word um in a hybrid Cloud environment you can't fix it because you have to have un Prem stuff and if you want your users to have downloaded word on their computer you can't fix it because Microsoft won't trust clientside computers because they shouldn't um and even if you are in a full Cloud environment you'd have to

fully ban authenticating to word from physical devices for that to work now I really want you to sell that to seite and I really want you to sell that with me there telling them they can't download word or Excel um and can't really do the work they need to do like that especially because online um Microsoft Office is not as good as downloaded at least in my opinion um yeah so basically there isn't really a remediation either so I mean it's not good news now but how does this compare well the social engineering is a bit harder than the initial tack is because you have a time limit um what I would do if I was a

black hat hacker is I would start a reparte with my with my friend um maybe he's in marketing and I'd email back and forth for a bit and then I would call them and be like hey can you put this code in and then I would fish them like that um because that's just easier to get them to do it uh code Cod calling people doesn't sound particularly fun or easy um also I'm just trying to limit how much I talk to other people um and if successful this attack is extremely difficult to detect especially if you're in the same region however you're limited you can't just use use this attack to go and pone their

entire Azure environment you can perform actions in the restrictions of the Microsoft Office 365 um permissions right so even though you have the Scopes you can't perform all those actions so this only becomes really bad is if you have an attack path you think or you know will work using Microsoft Office functionality now that's not impossible say for example people use Excel documents that they download off the internet with macros enabled on them they click pass Mark of the web and then you've got that working it's still hard right you still have to get there you still have to find those documents you still have to change the macros you still have to get them to download it

again and people who use those documents don't always like downloading them all the time and click through a Content prompt it's really hard fishing but it's important to know that this is there right and this isn't spec as well this is how you're meant to be doing it it's just not every spec can cater for security as well as um other specs can right you can't hold a password client side because that will eventually get compromised we have a talk a bit later by Connor who is really good at just breaking mobile apps because that's his job so if you want to know more about why not to hold pass's client side with that I would recommend talking to

him um so does this make the world burn not no not this other reasons the worlds burning but not this one um consent fishing exists it's important to know exists it can be exploited it has been exploited in the wild against companies um and it can be bad because it's like any other type of fishing it's not necessarily going to easily give you network access to their on pram servers but with every company moving into the cloud I do think that this is likely to be on the rise in the future but the important thing to note for conscent fishing and the thing that really matters to me for defense here is one user awareness um knowing applications

can be malicious but two is the verified badge we saw now Microsoft isn't the best example of this because they just have a nice little blue tick saying you're verified or unverified um but warning users when an application may be may be risky or dangerous is very important Google has a full page that says don't trust this application which is very hard to actually fish through so that kind of balance between that verification and that checking of an application to make sure that it is or isn't verified is or isn't trustworthy is really where the defenses for consent fishing for me at least come in um on top of the more technical defenses right so not allowing

anyone to consent to anything um allowing some people to consent to verify things yeah uh so the world is burning no um but this it does exist and it can be exploited and is being exploited so it's worthwhile to keep this in mind when you're on a red team engagement and when you're teaching your users about fishing see have any questions did I explain this oh Dam I was going to explain it perfectly go for it uh the first one no the second one I don't no I've tested the second one against production tenants for companies and it's worked fine every time yeah the first one I haven't yeah I look into it yeah anyone

else

mattye no the code is valid for 15 minutes so when you make the request in Microsoft you have to get them to input that code within 15 minutes okay and once you've got your sessional then it's normal yeah anyone else three two one and we're done cool thanks [Applause] everyone