Coding Stephan

Hiding in plain Graph, an issue with Azure AD Audit log

The audit log in Azure AD in super important. If I was an attacker that got access to some tenant, I would make sure my details would not show up in there. I would probably use a VPN/TOR of sorts just to hide my tracks. But what if I tell you that the Microsoft Graph API does already covers your tracks?

Not my IP showing in the audit log

What did I find?

I was trying to trick Azure AD into giving me a token for some internal Microsoft API (My Apps needs a Graph endpoint!), and that involved creating a service principal for the resource application (My Apps). This application could then be selected in the API permissions of my new Teams app.

My Apps in API permissions

Creating that service principal for an existing application is a matter of executing a few lines of powershell (after you imported the module and logged-in).

Install-Module Microsoft.Graph.Applications -Scope CurrentUser
# or Import-Module Microsoft.Graph.Applications
Connect-MgGraph -Scopes "Application.Read.All"
$body=@{
  "AppId" = "2793995e-0a7d-40d7-bd35-6968ba142197"
  }
New-MgServicePrincipal -BodyParameter $body

This script executed correctly, and now I was able to select this api in the API permissions screen. To check if everything went as expected, I checked the audit log only to find out that this action had been executed from an IP that was unknown to me.

Service principal created from 20.190.160.25

Hiding in plain Graph (VULN-102672)

As it turns out the Graph API was effectively hiding your IP address from the audit log. For something as important as creating a service principal, that should not have happened! I named this bug Hiding in plain Graph, since the Graph API did the hiding of the IP part.

As any sensible security enthusiast I created a reproducible bug report VULN-102672 at the Microsoft Security Response Center at June 7th 2023, and today I got a message they are fixing the issue.

Graph API is a big Reverse proxy

As an outsider, I have no actual knowledge on how this works at Microsoft, so this statement is based solely on my outside observations and prior experience with APIs

The Graph API (which the above PowerShell script uses), is effectively a giant reverse proxy for all those backend services at Microsoft. If you call /me/calendar/... your request is forwarded to some internal Exchange Server. And if you call POST /serviceprincipals your request is probably forwarded to the internal “Azure AD API”.

That internal API should not register the IP of the Graph API Server that is forwarding the request (20.190.160.25 in this case), but is should instead log the client IP, usually added to the request by a reverse proxy in the X-Forwarded-For http header.

The internal API should not accept requests from unknown services or it should at least ignore the X-Forwarded-For header if the source is unknown. In ASP.NET Core this is managed by setting the correct IP in the list of known proxies. Be sure to read the Security concerns related to this header.

Reporting security bugs

Microsoft wants everyone who finds bugs to report them at the Microsoft Security Response Center, they even have a bounty program for some of their products.

If you ever find a bug and want to report it, make sure you attach at least some easy steps to reproduce and a clear description of the issue. In my case I attached an easy to run powershell script and outlined the exact issue.

No bounty

I did report this issue to Microsoft, but they think this issue was not eligible for a bounty. What do you think? Is an incorrect audit log a serious issue?

This report was marked as out of scope as the issue was rated as a low severity, defense in depth. Only cases rated as important or critical severity are eligible for awards. Additionally, defense in depth is not an eligible security impact for the Identity Bounty program.

Audit log

The importance of audit logs. In this ever-evolving digital landscape, where security breaches and unauthorized access attempts are a constant threat, having a robust audit log system is paramount. Let’s uncover why the audit log in Azure AD is an indispensable tool for maintaining the security and compliance of your organization’s identity and access management.

  1. Security Monitoring: Protecting Your Digital Fortress

    In a world where security breaches can wreak havoc on an organization’s reputation and finances, security monitoring is crucial. The Azure AD audit log acts as a watchful guardian, recording every significant event related to user authentication, resource access, and configuration changes. By harnessing the power of the audit log, your security team can promptly identify and investigate potential security breaches and thwart unauthorized access attempts.

  2. Compliance and Governance: Keeping the Regulators Happy

    Regulatory frameworks demand strict adherence to security and privacy standards. Failure to comply can result in severe consequences for your organization. The Azure AD audit log plays a pivotal role in meeting these requirements. With its comprehensive record of user activities, you can easily track resource access, manage user privileges, and generate compliance audit reports. Stay one step ahead by leveraging the power of the audit log to demonstrate your commitment to security and governance.

  3. Incident Response and Forensics: Unveiling the Truth

    When an incident occurs or suspicions arise, you need to act swiftly. The Azure AD audit log becomes an invaluable resource during incident response and forensic investigations. By meticulously examining the log entries, you can reconstruct the sequence of events, assess the impact, and uncover the root cause. Armed with this information, you can effectively remediate the incident and fortify your defenses against future threats.

  4. User Accountability and Monitoring: Who Did What?

    Accountability is key in maintaining a secure environment. The Azure AD audit log allows you to keep a watchful eye on user activities, revealing who accessed critical resources, made configuration changes, or performed administrative actions. By promoting user accountability, you create a culture of responsibility and discourage unauthorized actions.

  5. Troubleshooting and Performance Monitoring: Smooth Sailing Ahead

    Smooth operations are essential for any organization. When issues arise, the Azure AD audit log is your go-to troubleshooter. It offers valuable insights into system behavior, helping administrators identify and resolve issues promptly. With this wealth of information, you can optimize your Azure AD environment and ensure top-notch performance.

Conclusion

Organization need the audit log to represent what actually happened and it should have the correct details in place. Not having the actual IP of the user who executed this highly privileged request in the audit log is worrying. As having the actual IP in the logs would make things much easier to correlate. Maybe you can even use Sentinel to alert you when it sees an audit log entry from an IP that does not appear in the sign-in logs (possibly being an indication of token theft).

This issue was not actually leaking data, or allowing access to data that you shouldn’t have access to. It did however make Incident response a lot harder, if something had actually happened.