search

SpecterOps / BloodHound

Six Degrees of Domain Admin
https://bloodhoundenterprise.io/
Apache License 2.0
1.14k stars 113 forks source link

Bug: Bloodhound CE: Edge AZResetPassword to owners of groups with high-tier role assignments #944

Open zh54321 opened 1 week ago

zh54321 commented 1 week ago

Description:

The edged AZResetPassword is created between a low tier admin role and the owner of a group which have a high-tier admin role assigned.

Are you intending to fix this bug?

No.

Component(s) Affected:

BloodHound Edge

Steps to Reproduce:

  1. Create a role-assignable group
  2. Assign the role privileged authentication administrator to it (active assignment)
  3. Create a user and add him as the owner of the group created in step 1
  4. Create another user and assign him the role user administrator (active assignment)
  5. Collect the data with AzureHound and import it
  6. Check paths between the user created in step 4 and the role privileged authentication admin

Expected Behavior:

The edge should not be created.

Actual Behavior: Screenshots/Code Snippets/Sample Files:

According to BloodHound a User Administrator can reset the password of a user who owns a group with a privileged role assignment: 3_1

However, a low-tier admin (example user administrator) can't reset the of users who are related to high-privileged roles: 3_2

Microsoft also protects not only the members of the group who have a privileged role but also the owners. Therefore, the edge is wrong: 3_3 Source: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/privileged-roles-permissions?tabs=admin-center#who-can-reset-passwords

Environment Information:

Bloodhound CE: 6.1.0 Neo4j: 4.4.38 PostgreSQL: 16.4 (Debian 16.4-1.pgdg120+2) GraphDB version: v6.1.0 API Version: v6.1.0 AzureHound: v2.2.1

Potential Solution (optional):

BloodHound already does not create the edges for members of the privileged group. The same checks should be implemented for the owners.

Contributor Checklist: