SAML Post-Intrusion Attack Mirrors ‘Golden Ticket’

A proof-of-concept attack demonstrates how adversaries can abuse the Security Assertion Markup Language framework to go unnoticed and assume multiple user identities.

Researchers at CyberArk Labs have created a post-intrusion attack technique known as a Golden SAML that could allow an attacker to fake enterprise user identities and forge authentication to gain access to valuable cloud resources in a federation environment.

“Using this post-exploit technique, attackers can become any user they want to be – with the highest level of privileges – and gain approved, federated access to a targeted app,” according to CyberArk Labs who revealed the attack technique this week.

Researchers said this Golden SAML attack technique mirrors in many ways how the notorious Golden Ticket attacks work.

“The name resemblance is intended, since the attack nature is rather similar. Golden SAML introduces to a federation the advantages that Golden Ticket offers in a Kerberos environment – from gaining any type of access to stealthily maintaining persistency,” according to a CyberArk Labs.

Golden Ticket is a type of attack against an IT infrastructure’s authentication protocols. Similar to Pass-the-Hash, Overpass-the-Hash and Pass-the-Ticket, a Golden Ticket attack is considered the most invasive because it provides an adversary with unrestricted access and control of an IT landscape via manipulation of the Windows Server Kerberos authentication framework.

Instead of targeting the Windows Server Kerberos, a Golden SAML attack leverages the Security Assertion Markup Language 2.0 (SAML) protocol. SAML is an open standard for exchanging authentication and authorization data between an identity provider and a service provider.

“Golden SAML poses serious risk because it allows attackers to fake an identity and forge authentication to any cloud app (Azure, AWS, vSphere, etc.) that supports SAML authentication. Using this post-exploit technique, attackers can become any user they want to be – with the highest level of privileges – and gain approved, federated access to a targeted app,” researchers wrote.

SAML assertions are trusted and signed via a specific RSA key stored with an identity provider environment.

The prerequisites of such attacks, however, are considerable. Among other things, hackers will need the private key that signs the SAML objects, an Active Directory Federation Services user account, token-signing private key, an identity provider (IdP) public certificate and an IdP name.

Attackers must also gain access to where the identity management is taking place in order to gain access to those resources. Sometimes a third party handles the SAML key management, other times it is hosted within a company’s own domain.

“Once the attacker has gained access to this key, the attacker can create whatever SAML authentication object they want. They can be any user on the targeted service with any permissions on the system that they desire as long as they sign the SAML assertion with the stolen key,” said Shaked Reiner, a security researcher with CyberArk Labs in an interview with Threatpost.

Similar to Microsoft’s Kerberos based environments that enables Golden Ticket to work, a fix for Golden SAML is not trivial. “There isn’t anyone to blame here, but if you are using SAML you need to be aware of this problem,” said Doron Naim, senior security researcher with CyberArk Labs.

Microsoft doesn’t consider this a vulnerability because in order to carry out an Golden SAML attack an adversary must already of compromised a company’s network and have domain admin access, Naim said.

“As for the defenders, we know that if this attack is performed correctly, it will be extremely difficult to detect in your network,” researchers wrote. “We recommend better monitoring and managing access for the ADFS account, and if possible, auto-rollover the signing private key periodically, making it difficult for the attackers.”

Suggested articles