Open 0xdabbad00 opened 1 year ago
From my understanding, the attacker needs the following privileges inside the compromised AAD tenant:
The existing SAML app (which is a service principal after all) might have high privileged permissions in AAD/ARM, thus even if a legit admin has removed the compromised user from the app "access list" the attacker might still access it via the backdoor app and execute high privileged APIs (because it has granted it delegated permission to access the SAML app).
Hope it makes sense.
https://www.secureworks.com/research/azure-active-directory-flaw-allowed-saml-persistence
I don't have a good understanding of the issue here. It seems that the requirement for the attacker is to have existing privileges to create a SAML app in the victim's Azure AD, which seems like they must be an admin as a requirement to perform this. Then, they could have created a backdoor for themselves to other SAML apps (which seem to have additional constraints). Given the requirements this seems low severity, but I'm having such a hard time trying to understand this that I'm not even clear if there is a security issue here at all.