Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Active Directory Federated Services (ADFS) User Enumeration Vulnerability

🗓️ 24 Oct 2018 00:00:00Reported by Joshua PlatzType 
zdt
 zdt🔗 0day.today👁 368 Views

Active Directory Federated Services (ADFS) excessive timeout vulnerability in user enumeratio

Code
[+] Credits: Joshua Platz aka Binary1985
[+] CVE ID: Requested
[+] Website: https://github.com/binary1985

[+] Source:
https://raw.githubusercontent.com/binary1985/VulnerabilityDisclosure/master/ADFS-Timing-Attack

Vendor:
==========================
http://www.microsoft.com


Product:
===========
Active Directory Federated Services (ADFS)

Active Directory Federation Services, a software component developed by Microsoft, can run on Windows Server operating 
systems to provide users with single sign-on access to systems and applications located across organizational boundaries.


Vulnerability Type:
==========================
Time Based User Enumeration


Vulnerability Details:
=====================

ADFS has an excessively long timeout on authentication requests using the correct domain, but invalid user. This is likely 
due to the time it takes to search the entire AD directory and return a response. Response times vary with use cases seeing 
valid accounts taking only .2 seconds, up to 3 seconds to return an invalid login. However invalid accounts have been seen 
to take 15 seconds to respond.


1) Observe the ADFS URL https://adfs.exampledomain.com/adfs/ls/IdpInitiatedSignOn.aspx?

2) Observe the length of time for an invalid account to return on login attempt (ex 15 seconds) *you must use the valid 
      domain*

3) Observe the length of time for a valid account to return on login attempt (ex 2 seconds) *try domain\administrator or 
      domain\guest*

4) Intercept a request using anything as a valid username and password. Extract the cookie. 

5) Add the cookie value to this PoC https://gist.github.com/binary1985/d778ef59c01fe82026ee2c9660904e3a on line 15.

6) Update the timings within the script to match your tests in step 2 and 3, the goal is to set the command timeout on 
      line 15 to something slightly greater then the timeout observed in step 3, and then update the logic on line 17 
      to something reasonable. Remember invalid accounts take a long time, valid accounts are quick

7) Execute the script, providing the ADFS URL as well as the domain and a user list. 
      Example: https://drive.google.com/open?id=0B5Pt6tipK7-9cnVkYi1qOFhxbEVFUVJCWjBHcHJZX0QxX3d3

#  0day.today [2018-10-24]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
24 Oct 2018 00:00Current
microsoft active directory federation servicestime based user enumerationauthentication timeoutvulnerability disclosuresingle sign-on
368