~/

Sierra-LDX Silent Authenticated 0-click ATO

Overview

During the first week of the new academic year in September 2024, I became aware of an e-learning application used by the campus I was on at the time.

I'll show you how, out of curiosity and much to my surprise, I was able to discover a remote account takeover without any user interaction, which led to a privilege escalation and exfiltration of the Azure user database.

Discovery

By simply looking at the requests exchanged between me and the server with burpsuite I was able to discover that I was receiving the ConnectedUserIds from the Websockets History.

WebSocket

With this discovery I went looking for other endpoints that could potentially expose the UserId.

I was already aware that the SSO LDAP Authentication request when the web page was refreshed was exposing my UserId. So all I had to do was try to copy an exposed ConnectedUserIds from the WebSocket History and copy it instead of my own in the LDAP SSO Authentication request.

SSO LDAP

Exploitation

So I went looking for an Administrator UserId and it was when I went to one of the two learning modules available to me that I discovered in the server response that my coach UserId was displayed in clear text (in addition to the UserId's of my mates in the same group).

Module Group

Why not now test with my coach UserId, assuming that he has more advantages than a standard user? And bingooo!!! He has Administrator rights.

0-click ATO

Privilege Escalation

After performing a privilege escalation to an Administrator account, I initially observed that connection to the account was instantaneous and totally transparent.

No Logs

I then looked into how to obtain the full UserId and ended up with full access to the Azure user database.

LDAP All

Database Exfiltration

Using the query /server/api/users/ldap/all and defining a display limit of 10000, I was able to extract the entire database.

Total Users

Finally, I could connect to any Administrator account, filtering by privilege / last name / first name and pivot to accounts without ever being detected in the connection logs, and without any interaction on the part of the user.

Keys

Conclusion

Here's a quick debrief of my first 0-click ATO in the wild, the flaw has now been fixed and all traffic is now encrypted. :)

Copyright (c) 2025, SHA2770