Cross-App Scripting vulnerability in the Microsoft Authentication Library for .NET allows malicious apps to open arbitrary websites within consumer apps that use this library
Open Source
NTCF:
NTCF-2024-46474
CVE:
CVE-2024-27086
Product:
Microsoft Authentication Library for .NET
Vendor:
Microsoft
Criticality:
low
Status:
fixed
Discovered:
2024-01-30
Detail:
Public
Vulnerable version:
>=4.48.0, <4.59.1
>=4.60.0, <4.60.3
Fixed version:
4.59.1
4.60.3
Background
The Microsoft Authentication Library (MSAL) for .NET is part of the Microsoft identity platform for developers (formerly named Azure AD) v2.0. It enables developers to acquire security tokens to call protected APIs.
The NTC observed that this library is used by various swiss developers to handle authentication in Android Apps.
Vulnerability
AuthenticationAgentActivity. Below the code as of af27ecd350002f21d65ebd2494e59e0296dc4be6:[Activity(ConfigurationChanges = ConfigChanges.Orientation | ConfigChanges.ScreenSize, Exported=true)]
internal class AuthenticationAgentActivity : Activity{
base.OnCreate(bundle);
// Create your application here
WebView webView = new WebView(this);
var relativeLayout = new RelativeLayout(this);
webView.LayoutParameters = new RelativeLayout.LayoutParams(RelativeLayout.LayoutParams.MatchParent, RelativeLayout.LayoutParams.MatchParent);
relativeLayout.AddView(webView);
SetContentView(relativeLayout);
string url = Intent.GetStringExtra("Url");
WebSettings webSettings = webView.Settings;
string userAgent = webSettings.UserAgentString;
webSettings.UserAgentString = userAgent + BrokerConstants.ClientTlsNotSupported;
webSettings.JavaScriptEnabled = true;
webSettings.LoadWithOverviewMode = true;
webSettings.DomStorageEnabled = true;
webSettings.UseWideViewPort = true;
webSettings.BuiltInZoomControls = true;
_client = new CoreWebViewClient(Intent.GetStringExtra("Callback"), this);
webView.SetWebViewClient(_client);
webView.LoadUrl(url);
}
[...]The highlighted portion on top shows that the activity is exported, meaning that it can be invoked by other applications installed on the device . (Not just the consumer of the library). The other highlighted code portion shows that JavaScript is enabled in the web view used for the authentication.
This means that a malicious application running on a customer Android device can (1) inject HTML/JavaScript in an embedded web view exported by affected applications, or (2) cause local denial of service against applications that were built using MSAL.NET for authentication on the same device (i.e., prevent the user of the legitimate application from logging in) due to incorrect activity export configuration.
Proof of Concept
adb shell am start -n ch.ntc.exampleapp/crc64ed1888fb4925e3b7.AuthenticationAgentActivity \
--es Url https://ntc.swiss \
--es Callback 1
Remediation
The vulnerable activity was set to not be exported in 87142a0035e215dc827af7cef5ae7a35964ad86e.
Patches
Workarounds
<activity android:name="microsoft.identity.client.AuthenticationAgentActivity" android:configChanges="orientation|screenSize" android:exported="false">
<intent-filter>
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<data android:scheme="msalYOUR_CLIENT_ID" android:host="auth" />
</intent-filter>
</activity>Timeline
2024-01-30: initial discovery
2024-01-31: first contact to vendor
2024-02-01: private disclosure to vendor
2024-04-15: fix by vendor
2024-04-16: CVE & advisory published by vendor
2024-06-25: public disclosure