来源

关联漏洞

描述

Audit Tool for CVE-2025-55241 - No Warranty Provided or Assumed. Analyze and Use at Own Risk

介绍

# CVE-2025-55241 Internal Audit Tool

🔍 **Azure/Entra ID Actor Token Vulnerability Security Assessment Suite**

A comprehensive collection of tools for detecting and auditing Azure/Entra ID tenants for evidence of CVE-2025-55241 (Actor Token cross-tenant privilege escalation) exploitation.

![Security Assessment](https://img.shields.io/badge/Security-Assessment-red)
![CVE-2025-55241](https://img.shields.io/badge/CVE-2025--55241-Patched-green)
![Platform](https://img.shields.io/badge/Platform-Azure%2FEntra%20ID-blue)
![License](https://img.shields.io/badge/License-MIT-yellow)

## 🚨 Critical Vulnerability Overview

**CVE-2025-55241** was a critical cross-tenant privilege escalation vulnerability in Azure/Entra ID that allowed attackers to gain Global Administrator access to ANY tenant using undocumented "Actor tokens."

- **CVSS Score**: 9.9 (Critical)
- **Impact**: Complete tenant compromise across all Azure/Entra ID tenants globally
- **Patch Date**: July 17, 2025 (Microsoft)
- **Discovery**: Dirk-jan Mollema (dirkjanm.io)

## ⚠️ Important Security Notice

**This vulnerability has been PATCHED by Microsoft** as of July 17, 2025. These tools are designed for:

✅ **Post-incident forensic analysis**  
✅ **Legitimate security assessment of your own tenants**  
✅ **Compliance auditing and security posture validation**  
✅ **Security research and education**  

❌ **DO NOT use for unauthorized testing or malicious purposes**

## 🛠️ Tools Overview

### 1. External Security Tester (`azure_tenant_security_tester.py`)
Performs comprehensive external reconnaissance and security assessment of Azure tenants.

**Capabilities:**
- 🔍 Tenant information discovery via OpenID endpoints
- 🌐 DNS security configuration analysis (SPF, DMARC, MX records)
- 🔐 Federation and autodiscover endpoint exposure testing
- 👤 User enumeration vulnerability detection
- 🔒 SSL/TLS certificate configuration validation
- 📱 Application and service discovery

### 2. Internal Actor Token Auditor (`azure_audit_actor_tokens.py`) 
Audits your tenant internally for evidence of CVE-2025-55241 exploitation.

**Capabilities:**
- 🔍 Service principals with Actor token generation capabilities
- 👥 Guest users with exploitable netIds (alternative security IDs)
- 📊 KQL detection queries for Azure Sentinel/Log Analytics
- 🚨 Suspicious administrative activity pattern detection
- 📈 Risk assessment and security recommendations

## 🚀 Quick Start

### Installation

```bash
git clone https://github.com/Spanky-McSpank/CVE-2025-55241-Internal-Audit.git
cd CVE-2025-55241-Internal-Audit
pip install -r requirements.txt
```

### External Security Assessment

```bash
# Basic assessment of your domain
./azure_tenant_security_tester.py yourdomain.com

# Comprehensive assessment with verbose output and JSON report
./azure_tenant_security_tester.py yourdomain.com -v -o security_report.json
```

### Internal Tenant Audit

```bash
# Authenticate and get required tokens
az login
ACCESS_TOKEN=$(az account get-access-token --resource https://graph.microsoft.com --query accessToken -o tsv)
TENANT_ID=$(az account show --query tenantId -o tsv)

# Run comprehensive internal audit
./azure_audit_actor_tokens.py --tenant-id $TENANT_ID --access-token $ACCESS_TOKEN -o audit_report.json
```

## 🕵️ Detection Methodology

### Key Detection Query (Azure Sentinel/Log Analytics)

The following KQL query detects potential Actor token abuse based on research by Dirk-jan Mollema:

```kql
AuditLogs
| where TimeGenerated >= ago(90d)
| where not(OperationName has "group")
| where not(OperationName == "Set directory feature on tenant")
| where InitiatedBy has "user"
| where InitiatedBy.user.displayName has_any (
    "Office 365 Exchange Online", 
    "Skype for Business Online", 
    "Dataverse", 
    "Office 365 SharePoint Online", 
    "Microsoft Dynamics ERP"
)
| project TimeGenerated, OperationName, InitiatedBy, TargetResources, Result
| sort by TimeGenerated desc
```

### PowerShell Audit Commands

```powershell
# Check for suspicious service principal credentials
Get-AzureADServicePrincipal | Where-Object {$_.DisplayName -like "*Exchange*"} | 
    Select-Object DisplayName, AppId, KeyCredentials, PasswordCredentials

# Audit guest users with alternative security IDs
Get-AzureADUser -Filter "UserType eq 'Guest'" | 
    Select-Object UserPrincipalName, AlternativeSecurityIds

# Review recent privileged activities
Get-AzureADAuditDirectoryLogs -Filter "activityDisplayName eq 'Add user'" | 
    Where-Object {$_.initiatedBy.user.userPrincipalName -like "*admin*"}
```

## 📊 Sample Output

### External Assessment Results
```
Azure Tenant External Security Assessment Tool
==================================================
Target Domain: contoso.com
Assessment Time: 2025-09-19 14:30:25

ASSESSMENT SUMMARY
------------------
Domain: contoso.com
Tenant ID: 12345678-1234-1234-1234-123456789abc
Risk Level: MEDIUM
Total Findings: 3

SECURITY FINDINGS:
  1. User enumeration possible - 2 users found
  2. DMARC policy set to 'none' - not enforcing
  3. Autodiscover configuration exposed

Assessment completed.
```

### Internal Audit Results
```
Azure Tenant Actor Token Vulnerability Audit
=============================================
Tenant ID: 12345678-1234-1234-1234-123456789abc
Vulnerability: CVE-2025-55241
Audit Time: 2025-09-19 14:35:10

AUDIT SUMMARY
-------------
Vulnerability Status: Patched by Microsoft (July 17, 2025)
Overall Risk: LOW
Risk Indicators: 0

KQL DETECTION QUERY:
[Detection query displayed]

RECOMMENDATIONS:
  1. Run the provided KQL query in Azure Sentinel/Log Analytics
  2. Review and rotate credentials on Exchange Online service principals
  3. Audit guest user permissions and consider restricting enumeration rights
  4. Enable enhanced audit logging for Azure AD Graph API (if available)
  5. Implement continuous monitoring for suspicious admin activities

Audit completed.
```

## 🔬 Technical Background

### The Actor Token Vulnerability Explained

CVE-2025-55241 exploited a critical flaw in Azure AD's legacy "Actor token" system:

1. **Actor Tokens**: Undocumented impersonation tokens used by Microsoft for service-to-service communication
2. **Cross-Tenant Validation Failure**: Azure AD Graph API failed to properly validate token origin tenant
3. **Privilege Escalation**: Allowed impersonation of any user, including Global Admins, in any tenant
4. **Minimal Logging**: Actor token usage bypassed most security controls and audit logging

### Attack Flow (Historical Reference)

```mermaid
graph TD
    A[Attacker Controlled Tenant] --> B[Generate Actor Token]
    B --> C[Discover Target Tenant ID]
    C --> D[Find Valid User NetID]
    D --> E[Craft Cross-Tenant Token]
    E --> F[Access Azure AD Graph API]
    F --> G[Escalate to Global Admin]
    G --> H[Full Tenant Compromise]
```

### Why This Was So Critical

- **Universal Impact**: Affected every Azure/Entra ID tenant globally
- **No Prerequisites**: No existing access to target tenant required
- **Bypass All Controls**: Conditional Access, MFA, and other security measures ineffective
- **Minimal Detection**: Very limited audit trails and logging
- **Exponential Spread**: Guest user relationships enabled rapid cross-tenant propagation

## 🛡️ Security Recommendations

### Immediate Actions (If You Suspect Past Compromise)

1. **🔍 Run Detection Queries**: Execute the provided KQL queries in Azure Sentinel
2. **📋 Audit Service Principals**: Review all service principals with credentials
3. **👥 Review Guest Users**: Audit guest user permissions and enumeration rights
4. **🔄 Rotate Credentials**: Rotate high-privilege service principal credentials
5. **📊 Enable Enhanced Logging**: Activate all available Azure AD audit logging

### Long-term Security Improvements

1. **🚀 Zero Trust Architecture**: Implement comprehensive Conditional Access policies
2. **🔐 Privileged Identity Management**: Enable PIM for all administrative roles
3. **🤖 Identity Protection**: Deploy Azure AD Identity Protection with risk-based policies
4. **📈 Continuous Monitoring**: Establish ongoing security monitoring and alerting
5. **🔍 Regular Assessments**: Conduct periodic security assessments using these tools

## 📚 Research References

- [**Original Research**](https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens/) by Dirk-jan Mollema
- [**CVE-2025-55241**](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55241) - Official Microsoft Advisory
- [**Microsoft Security Blog**](https://www.microsoft.com/en-us/security/blog/2025/07/08/enhancing-microsoft-365-security-by-eliminating-high-privilege-access/) - Response and Mitigations
- [**ROADtools**](https://github.com/dirkjanm/ROADtools) - Azure AD Reconnaissance Framework

## ⚖️ Legal and Ethical Guidelines

### ✅ Authorized Usage
- Your own Azure/Entra ID tenants
- Tenants with explicit written authorization
- Security research with responsible disclosure
- Compliance and security auditing
- Educational and training purposes

### ❌ Prohibited Usage
- Unauthorized testing of third-party tenants
- Attempting to exploit patched vulnerabilities
- Using tools for malicious purposes
- Violating computer fraud and abuse laws
- Any illegal or unethical activities

### 📋 Disclaimer
These tools are provided for legitimate security testing and research purposes only. Users are solely responsible for ensuring they have proper authorization before testing any systems. The authors disclaim all responsibility for any misuse of these tools.

## 🤝 Contributing

We welcome contributions to improve these security assessment tools:

1. **🐛 Bug Reports**: Open issues for any bugs or problems
2. **✨ Feature Requests**: Suggest new capabilities or improvements
3. **🔧 Pull Requests**: Submit code improvements following security best practices
4. **📖 Documentation**: Help improve documentation and usage examples

### Development Guidelines
- Follow responsible disclosure practices
- Ensure all contributions maintain ethical usage standards
- Include appropriate security warnings and disclaimers
- Test thoroughly before submitting pull requests

## 📄 License

This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

## 🔒 Security Contact

For security-related issues or questions:
- Open a GitHub issue with the `security` label
- Follow responsible disclosure practices
- Do not publicly disclose security vulnerabilities before coordination

---

**⭐ If this tool helped secure your Azure environment, please consider starring the repository!**

*Built with ❤️ for the cybersecurity community*

文件快照

 [4.0K]  /data/pocs/b8658271d0cf6e741816d6f9a9edf9ad00e40c32
├── [ 10K]  azure_audit_actor_tokens.py
├── [ 16K]  azure_tenant_security_tester.py
├── [4.2K]  CONTRIBUTING.md
├── [1.9K]  demo.sh
├── [5.1K]  GITHUB_SETUP.md
├── [1.3K]  LICENSE
├── [ 11K]  README.md
├── [  43]  requirements.txt
└── [2.3K]  setup.py

0 directories, 9 files

备注