Microsoft Office 3 6 5 platform SAML service vulnerability, unauthorized access to other users of the resource-vulnerability warning-the black bar safety net

ID MYHACK58:62201674683
Type myhack58
Reporter 佚名
Modified 2016-05-10T00:00:00


! Recently, two security researchers, Klemen Bratec and Ioannis Kakavas, announced they found one in Microsoft Office 3 6 5 platform on the SAML service vulnerability that can be exploited to perform cross-domain authentication bypass, and eventually to 3 6 5 on the platform of the all the Federal domain. An attacker can use this vulnerability to break through limiting access, the unauthorized access to the victim user Office 3 6 5 account information and can use this to access their mailboxes and storage in OneDrive-Microsoft cloud storage service on file, and so on. Currently, the vulnerability has been Microsoft's temporary fix. SAML profile SAML is the security assertion markup language, the English name is Security Assertion Markup Language. It is an XML-based standard, used in different security domains(security domain)is exchanged between the authentication and authorization data. Its important role is that of cross-domain Single Sign-On. SAML achieve the goals that the user after authentication, the plurality of application service in access to resources without re-authentication, such as the re-enter account and password, and SAML is the process of“middleman” in. web Single Sign-On, Single Sign-on, SSO Single Sign-On is a method for facilitate user access to network technology. As described above, the user need only log in once registered, you can get access to the system and the application software of the authorized, after they can be in a variety of applications in switching, without having to repeatedly enter a user name and password to determine the identity. Under this condition, the Administrators do not need to modify or interfere with the user login can be easily implemented like to get security control. For example, we often log on to some website, found that in addition to registering a new account, but also by other applications the account, such as QQ, microblogging, etc. to log in, which will be used to the WEB single sign-on technology. Because from the user to repeat the viewpoint of the words, in fact some of the site the user is Repeating, then for that part of the user, how to visit website A, without authentication to access the web site B, web single sign-on technology is a good solution. SAML in a number of important concepts We from the foregoing simple to understand this part of the main detailed attention in the SAML 2.0 principles. Currently, the SAML standard is the most important part is as follows, 1, A statement Assertions) First, the statement is an XML structure, which contains the package in a statement in the user information. Two of the most commonly used statement types are: 1. the authentication statement Authentication Assertions, the user has on their identity identification information; (2)the attribute Declaration, Attribute Assertions, and contains information about the user specific information such as mail address, name, etc. 2, the Protocol Protocols) The SAML Protocol describes certain SAML elements such as statement is to be encapsulated in the request and how the system responds to the request and shows the login or logout, the SAML entity, the identity provider and the service provider must follow the processing rules. You can also say so, the SAML Protocol defines a system entity between the transmission and processing of the SAML assertion Protocol set, wherein the above-mentioned verification request agreement will be in after the introduction. 3, the bindings Bindings) SAML binding describes a SAML message is to be mapped to a non-SAML-related message format and communication Protocol. For example, we in the authentication process, the service provider, i.e. the user to access the application resources with the identity provider to communicate authentication, then how from the transmission of the message, extracts the parties need the information, This is related to the binding. When you need to from a HTTP GET request to remove the URL in the query string, the HTTP redirect binding the HTTP Redirect Binding defines how the URL is formatted so that it conforms to the SAML message standard format. And in the communication process, the SAML request is through the SAMLRequest query parameter is passed, and after the compression, and then based on base64 encoding and URL decoding. 4, identity providers, Identity Provider) The identity provider passes a SAML authorization, and holds information about the user, the identity provider can provide the user posting the statement, so that it can be in the identity provider application on line within the competence of the operation. 5, the service provider Service Provider) The service provider is the SAML message recipient, receiving from the identity provider's user information, and open in line with the user access permissions of the resource. Web browser Single Sign-On, SSO example Next you can look at a Web-based browser Single Sign-On framework for a simple example, we can adopt this example to a more in-depth understanding of SAML. First, in the single sign-on process, the service provider uses the HTTP redirect binding, and the identity provider use an HTTP POST binding. Wherein the entire process relates to the portion as follows, 1, The user using the browser 2, identity provider 3, the service provider We from the lower figure can also be seen on between the three interaction, ! One, in our example, this Single Sign-On process starts at a user attempts to access a protected resource, or in simple terms, can be understood as a request to log in. The service provider has to allow or deny federated login functionality configuration, as well as real time redirect the user to a discovery service interface, in order to select their identity provider. By automatically matching the selection, you can find the service providing know and trust their choice of identity provider, then the service provider creates a SAML authentication request, as follows: samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_bec424fa5103428909a30ff1e31168327f79474984" Version="2.0" IssueInstant="2016-04-14T11:3 9:34Z" use the forceauthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="">

[1] [2] [3] [4] [5] [6] [7] [8] [9] next