BloodHoundAD / BloodHound

Six Degrees of Domain Admin

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Azure - AzAddSecret to ServicePrincipals is often false positive

EnriqueHernandezL opened this issue · comments

Describe the bug
There are a bunch of ServicePrincipals in all Azure Tenants that correspond to AppRegistrations that live in Tenants of Microsoft. These ServicePrincipals could, according to Bloodhound, be abused for a standard Application Admin - to - Global Admin privesc. This is however not true, since it is impossible to authenticate as a ServicePrincipal if its AppRegistration lives in a foreign tenant.

The situation gets specially bad when someone uses PIM for Subscription IAM-Roles. In this case Azure gives the PIM ServicePrincipal a "User Access Administrator" Role in that subscription, and Bloodhound thinks that the Application Admins can own the Subscription now, which is not the case.

To Reproduce
Steps to reproduce the behavior:

  1. Pick a ServicePrincipal of a Microsoft App (such as MS Graph, PIM, Azure Portal, etc) and give it a Credential (password or cert). It works, but you can not use it to authenticate as the SP.
  2. Collect the data for Bloodhound and search for Paths from Application-Admin to the SP. Bloodhound thinks that the Application Admin can authenticate as the SP, just like the ones that correspond to AppRegistration in the analysed Tenant (for which that works).

Expected behavior
Bloodhound should not show the AzAddSecret Edges to ServicePrincipals whose respective AppRegs are not in the analysed tenant.