Researchers have found a way to manipulate the credential validation process in Microsoft Entra ID identity environments. According to them, attackers can use this approach to bypass authentication in hybrid identity infrastructures.

The attack would require an adversary to have administrative access on a server hosting a Pass-Through Authentication (PTA) agent, a component that allows users to sign in to cloud services using on-premises Microsoft Entra ID (formerly Azure Active Directory) credentials. They can then use that access to sign in as an Entra ID user across multiple on-premises domains without requiring separate authentication, researchers from Cymulate said in a report this week.

Transform PTA into double agent

“This vulnerability effectively turns the PTA agent into a double agent, allowing attackers to log in as any synced AD user without knowing their actual password,” security researcher Cymulate said. Ilan Kalendarov wrote“This could potentially grant access to a global administrator if such privileges were assigned, regardless of their original synced AD domain,” and enable lateral movement to different on-premises domains.

Microsoft did not immediately respond to a Dark Reading request for comment. But according to Cymulate, Microsoft plans to patch the code on its side to address the issue. However, the company has also described the attack technique as a medium-severity threat, according to the Israel-based security vendor.

Earlier this month at Black Hat USA 2024, a security researcher at Semperis has revealed another problem with Entra ID that gave attackers access to an organization’s entire cloud environment. Attackers are increasingly focused on cloud identity services such as Entra ID, Okta and Ping. Once they manage to hack one of these providers, they have full access to the company data in SaaS apps.

Cymulate’s proof-of-concept attack leverages what the company calls a vulnerability in Entra ID when syncing multiple on-premises domains to a single Azure tenant. In comments to Dark Reading, Kalendarov said it’s a practice organizations often use to streamline user access across departments, for example, or to simplify IT management for companies with multiple subsidiaries. Syncing multiple on-premises domains to a single Azure tenant enables seamless collaboration between disparate business units, he said.

Incorrect handling of requests

What Cymulate discovered is that PTA agents in this configuration can sometimes mishandle authentication requests across multiple on-premises domains. The company’s research showed that when a user attempts to log in to Entra ID, the password validation request is placed in a service queue and picked up by every available PTA from all synced on-premises domains.

Cymulate found that a PTA agent would occasionally retrieve the username and password from another on-premises domain and attempt to validate them against its own Windows Server AD. “This results in a failed authentication because the server doesn’t recognize the specific user,” Kalendarov said. “It depends on which PTA agent receives the request first. However, within our testing and research, it was a fairly common occurrence.”

Cymulate’s POC takes advantage of this particular issue. To demonstrate how an attacker could exploit it, researchers first injected an unmanaged dynamic link library into the PTA agent. Once loaded, the managed DLL intercepts the ValidateCredential function that is responsible for checking user credentials at the beginning and end. By intercepting this function, the attacker can manipulate the result, forcing it to always return True, Cymulate discovered. “This means that even if we provide the credentials of a user from a different domain, the hook WHERE“, Cymulate said. “That would allow us to log in as any user from any synced on-prem AD.”

The attack only works if the attacker first gains local admin access on the PTA server, Kalendarov says. “In theory, there are attacks where you first get into the PTA server and copy the certificate, and then create your own replicated server. The attack would work on that server as well.”

Kalendarov said it’s likely that Microsoft considers the threat to be moderate because the attacker would first need to gain local administrative access. Additionally, Microsoft recommended that organizations treat the server as a Tier-0 component, meaning they should implement the highest level of security controls, such as strict access control, enhanced monitoring, and network isolation. But the reality is that most companies don’t treat it as a Tier-0 component, he said. Microsoft also recommended that organizations implement two-factor authentication for all synced users.

Cymulate itself has recommended that Microsoft implement domain-aware routing to ensure that authentication requests are routed to the correct PTA agent. “Additionally, it may be beneficial to establish strict logical separation between different on-premises domains within the same tenant,” the company noted.