Office 365 / ADFS vulnerability

Companies are protecting Office 365 with ADFS or Conditional Access. This protection is done to ensure that users can access SharePoint Online and OneDrive for Business only from controlled areas.

SharePoint Online and OneDrive for Business unfortunately are using very long living authentication cookies, which the users or malicious code can send to other machines like private machines. From there it can be accessed without protection. Even if those users are not able to connect to ADFS or shouldn’t be able to login because of conditional access rules, with a valid cookie they can still sign in.

The root cause is that those authentication cookies are not bound and valid from everywhere. Conditional Access and ADFS is only used, to issue the cookie but as soon as it’s issued users can utilize it until it expires from everywhere.

If you want to test this:

Disclaimer:

THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Please make sure you don’t violate any policies, regulations, legislations, etc.

The powershell script “Office365CookieSend.txt” can be used the following way:

Corporate Workstation

  1. Open the textfile and enter the URL of your OneDrive or SharePoint in the first line
  2. Enter an encryption key (random, no spaces) in the second line. This key is used to send the cookie by mail
  3.  Copy & Paste everything into a PowerShell window on a machine where you can login
  4. Login to Office 365
  5. A new script is generated and opens your mail client to send the encrypted cookie home

Private workstation

  1. Open Internet Explorer and delete all the cookies
  2. Open the script in the mail on your home pc
  3. Update the first line with the encryption key from 2
  4. Copy & Past everything into PowerShell and run it

Two issues which might occur:

  1. The user is still blocked by conditional access. Then press the sign out link on the screen and run the script again.
  2. The following error might show up:

    “Padding is invalid and cannot be removed.”

    Ensure the key is the same as on the source workstation.

Leave a Reply

Your email address will not be published. Required fields are marked *