'Dupe' there it is: SAML authentication bypass threatens Microsoft
Micro Focus security researchers demonstrated a new technique, dubbed 'dupe key confusion,' which allows threat actors to bypass Microsoft's SAML token validation.
LAS VEGAS -- Security researchers unveiled SAML authentication bypasses that threaten key Microsoft technologies and could allow threat actors to take over accounts or gain access to Exchange servers.
In a Black Hat 2019 session titled, "SSO Wars: The Token Menace," researchers from Micro Focus Fortify introduced a new technique Wednesday that exploits a vulnerability in Microsoft's implementation of Security Assertion Markup Language (SAML), a protocol used by many identity providers for single sign-on. The technique undermines SAML authentication in Microsoft's .NET Framework, as well as in its Windows Identity Foundation and Windows Communication Foundation.
The vulnerability, which was disclosed and fixed last month in Microsoft's Patch Tuesday, allows a malicious actor to sign a SAML authentication token with an arbitrary symmetric key. Alvaro Munoz, principal software security researcher at Micro Focus Fortify, said during the session that the vulnerability, CVE-2019-1006, had serious implications since it could allow an attacker to impersonate a user.
"There are multiple formats for authentication tokens," Munoz said. "All of them share some attributes and some properties, and the most important one is the signature. If we don't sign the authentication token, then anyone can change the token and use it, or an attacker in the middle can change the properties or attributes of the authentication token and just become anyone in the target system."
The technique, which the researchers called "dupe key confusion," enables an attacker to break XML signature validation in SAML by either modifying an existing token or creating a new one from scratch and signing an SAML assertion with the attacker's own symmetric key. Munoz explained the heart of the problem lies with how Microsoft uses two different methods to process the </KeyInfo> section of a SAML token; if each method returns a different key, then validation of the token can be bypassed.
Munoz, along with fellow Micro Focus Fortify security researcher Oleksandr Mirosh, detailed several attack scenarios in which malicious actors could use dupe key confusion to take over Microsoft accounts or gain access to Microsoft Exchange, SharePoint or Office 365 deployments.
Munoz said the research is not meant to suggest that SAML is an insecure protocol. "In this case, it's a design flaw in the implementation, specifically in the .NET implementation of the XLM signature verifiers," he said.
The research team released a plugin tool on GitHub called DupeKeyInjector, which is designed to detect exploitation of the vulnerability. Munoz said it's possible the XML signature problem may exist in other SAML implementations.
An executive at a security startup specializing in authentication, who wished to remain anonymous, said Micro Focus' research was "concerning" because it revealed problems with Microsoft's SAML implementation. The executive said he planned to inform clients immediately of the dupe key confusion technique and advise them to patch immediately if they had not already done so.
In addition to the SAML authentication bypass, the session demonstrated a technique that used another vulnerability discovered by the Micro Focus researchers that also affects .NET. The technique allows possible denial-of-service attacks or remote-code execution on .NET applications such as SharePoint. The vulnerability, CVE-2019-1083, was also disclosed and patched by Microsoft last month.