liorwiz
commented
1 year ago From my understanding, the attacker needs the following privileges inside the compromised AAD tenant:
- Enumerate existing SAML app and assign the compromised user as having access to that app (by assigning it to the "Users and groups" section in the app itself). Alternatively, the attacker could just enumerate for existing SAML apps that are already allowing access to the compromised AAD user.
- The compromised user needs to have the privilege to create the backdoor app (which does not require Global Admin privileges - there are several built-in AAD roles that allow that capability).
The existing SAML app (which is a service principal after all) might have high privileged permissions in AAD/ARM, thus even if a legit admin has removed the compromised user from the app "access list" the attacker might still access it via the backdoor app and execute high privileged APIs (because it has granted it delegated permission to access the SAML app).
Hope it makes sense.
https://www.secureworks.com/research/azure-active-directory-flaw-allowed-saml-persistence
I don't have a good understanding of the issue here. It seems that the requirement for the attacker is to have existing privileges to create a SAML app in the victim's Azure AD, which seems like they must be an admin as a requirement to perform this. Then, they could have created a backdoor for themselves to other SAML apps (which seem to have additional constraints). Given the requirements this seems low severity, but I'm having such a hard time trying to understand this that I'm not even clear if there is a security issue here at all.