Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Microsoft Bounty Program overview

Published byAbel May Modified over 7 years ago

Similar presentations

Presentation on theme: "The Microsoft Bounty Program overview"— Presentation transcript:

1 The Microsoft Bounty Program overview
2/16/2018 7:49 PM How to be successful in the Azure bug bounty and The Microsoft Bounty Program overview Michael Hendrickx Akila Srinivasan © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 =  + Agenda Azure Attack Surface Azure Bug Bounty background
Past bounty payouts Overall and Azure Bug Bounty scope Get cracking : Azure offers / How to get started =  +

3 Azure Attack Surface Data center VM’s Storage: queue, table, blobs, …
Multiple tenants App Deploy VM scale sets Batch apps User Management WebApps VM’s User Self-Services SQL Mobile Apps VM Marketplace NoSQL Storage: queue, table, blobs, … Workers Cache Virtual networks Backup 2FA CDN Load balancing Gateways Media Services Network security groups OnPrem Apps Data center Federated identity

4 Azure Bug Bounty Background
In April 2015 we started this bounty program to give researchers and customers an easy way to pentest their Azure subscriptions We’ve expanded the bounty since to include over 50 domains and endpoints

5 Microsoft Bounty Programs Old and New
2/16/2018 7:49 PM Microsoft Bounty Programs Old and New Program Maximum Bounty Duration Active/Closed Office Insider Bounty Program $15,000 End June 15, 2017 Active .NET Core and ASP.NET Core Sustained Edge Web Platform on WIP slow End May 15, 2017 Online Services (O365 and Azure) Mitigation Bypass $100,000 Bounty for Defense .NET Core and ASP.NET Core RC2 End Sept 7, 2016 Closed Nano Server TP5 Ended 29 July ASP.NET and CoreCLR (part 1) 2015 Microsoft Edge Beta Bounty Program (part 1) This is a brief overview of the Microsoft bounty programs. As we progress – we’ll go a little more in depth. The table is sorted by date of program launch We launched the office insider bounty program at csw for 3 months This does not include the IE 11 bounty program © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 Launch of double bounties in Exchange online and Office 365 portal
The domains that will be receiving double rewards are: portal.office.com outlook.office365.com outlook.office.com outlook.live.com *.outlook.com   Payout range is: $1,000 to $30,000 USD Duration: March 1 to May 1, 2017 For additional information about this program:

7 Microsoft Services Bounty Programs Old and New
2/16/2018 7:49 PM Microsoft Services Bounty Programs Old and New Program Maximum Bounty Duration Active/Closed Double rewards in ExO and Office 365 Portal $30,000 Ends May 1, 2017 Active Online Services - Azure $15,000 Sustained Online Services - O365 NEW Mitigation Bypass Bounty Microsoft O365 This is a brief overview of the Microsoft bounty programs. As we progress – we’ll go a little more in depth. The table is sorted by date of program launch for relevant bounties Azure June 2013 Sept 2014 Apr 2015 © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 Potential Payout range (USD) *
Impact and Payouts Vulnerability Impact Proof of concept Report Quality Potential Payout range (USD) * Elevation of privilege via Office Protected View sandbox escape Required High Up to $15,000 Low Up to $9,000 Office VBA macro execution in Word, Excel, or PowerPoint without enabling macros or disabling security mitigations Code execution by bypassing Outlook’s automatic attachment block policies Up to $6,000 - PV is the Office Sandbox - cansecwest 2010 presentation - VBA allows code execution by design. Once running, there are no mitigations. - No bypasses. Escapes. - Outlook attachments...ILOVEYOU. - Logic flaws are interesting in these areas. These areas are ones that will likely need deeper human thought versus running automation (fuzzers). For additional information about this program:

9 Microsoft Edge Beta Web Platform Bounty (Part 2)
2/16/2018 7:49 PM Microsoft Edge Beta Web Platform Bounty (Part 2) Submit: Remote Code Execution (RCE) vulnerability for Microsoft Edge Bugs that lead to violation of W3C standards that compromise privacy and integrity of important user data The bugs must reproduce on the most recent Windows Insider Preview (WIP) slow build or Creator’s Update This continues our effort in finding bugs in earlier stages of development Program runs Aug 4, 2016 to May 15, 2017 RCE = $15,000 UXSS/Referer Spoofing/Compromise of privacy or integrity of user data = $6,000 I like to call it part 2 of the Edge beta bounty series as the first one was in 2015 Please submit RCE and W3c standard We want you to use our latest bits and partner with us to help us understand the issue better. Additional money will be awarded for those who submit bugs on WIP slow All bugs must reproduce on the Windows Insider Preview slow branch. A lot of you have had questions in the past on why we focus primarily on beta – one of the reasons is that we want to find all these bugs in our latest and greatest software in earlier development stages. It ensures the end user receives the most secure software possible (it’s been through internal and crowdsourced pen testing) For additional information about this program: © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10 .NET Core and ASP.NET Core Bug Bounty
2/16/2018 7:49 PM .NET Core and ASP.NET Core Bug Bounty Vulnerabilities in the latest available .NET builds Program began September 1, 2016 (continuous) All bugs have to reproduce in the latest beta or release candidates to qualify Pays up to $15,000 USD Vulnerability type Payout range (USD) Remote Code Execution $15,000 to $1,500 Security Design Flaw $10,000 to $1,500 Elevation of Privilege $10,000 to $5,000 Remote DoS $5,000 to $2,500 Tampering / Spoofing $5,000 to $500 Information Leaks $2,500 to $750 Template CSRF or XSS $2,000 to $500 .NET Core & asp.NET CORE are the cross-platform and open source implementation of .NET and ASP.NET. For additional information about this program: © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 Online Services Bug Bounty Program O365 + Azure
2/16/2018 7:49 PM Online Services Bug Bounty Program O365 + Azure Earn bounty on submitted vulnerabilities for participating Online Services provided by Microsoft (O365 and Azure properties) Vulnerability type examples XSS CSRF Unauthorized cross-tenant data tampering or access (for multi-tenant services) Insecure direct object references Injection Vulnerabilities Authentication Vulnerabilities Server-side Code Execution Privilege Escalation Significant Security Misconfiguration (when not caused by user) Payout range is: $500 to $15,000 USD Double bounty on exchange online and O365 portal for the next 2 months Follow us on the MSRC Blogs to get information on new bounties Moving on to the largest bounty scope -> our online services bounty programs This includes Azure and Ofiice 365 properties. A snippet of the domains are: O365 sites = yammer.com, sway.com, sharepointonline.com, exchangeonline.com Authentication = Hotmail, outlook and AAD = login.live.com, login.microsoftonline.com Azure = approx. 35 eligible azure endpoints including our storage services. Call out to azure credit We plan to add more in the near future. Please look at the Microsoft bug bounty site to get a detailed overview of the domains. For additional information about this program: © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12 Hyper-V Hyper-V escapes that will receive a bounty Guest-to-Host
2/16/2018 7:49 PM Hyper-V Hyper-V escapes that will receive a bounty Guest-to-Host Guest-to-Guest Guest-to-Host DoS (non-distributed, from a single guest) Total payout range is: Up to $100,000 USD Hyper-V is a Microsoft security feature that we protect quite dearly. We will pay the highest amount for this. + Hyper-V escapes (guest -> host, guest-> guest) Additional information about this can be found in the mitigation bypass terms page online and here (point to bottom) A lot of folks weren’t aware that e bounty hyper-v since it is listed in the mitigation bypass. For additional information about this program: © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13 Mitigation Bypass and Bounty for Defense
2/16/2018 7:49 PM Mitigation Bypass and Bounty for Defense A security mitigation improves on the security of our products Submit a novel mitigation bypass against our latest Windows platform, and/or a defense idea that would block an exploitation technique that currently bypasses the latest platform mitigations Stack corruption (/GS, SEHOP, and SafeSEH) Heap corruption (metadata integrity checks) Code execution (DEP, CFG, ACG and ASLR) Total payout range is: Up to $200,000 (Mit. Bypass + Bounty for Defense) a Security Mitigation tries to improve security of our products. Mitigation bypass bounty falls squarely in our goal to make it harder to exploit our products by eliminating classes of bugs. Hence, if you find a way to break our defenses, we want to know and we are paying top dollar for it. then read from slide. We urge you to submit … Mit bypasses include, stack and heap corruption and code execution Stack = overrun of a buffer beyond the amount of stack space that was allocated. Mitigation include Buffer security check Heap = mistakes that make it possible to write beyond the bounds of a heap buffer DEP: you can only run code from executable memory ASLR: it's hard to find where things are at in memory, and is fundamentally about randomness CFG: you can only indirectly call valid functions ACG, child process policies and other mitigations in the latest creator’s update (released on April 11, 2017) For additional information about this program: © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14 Past payouts Highest payout bugs to date MSRC case Amount
Vulnerability Type Security Impact 31042 $24,000.00 OAuth2 Authentication bypass Auth token theft 34219 $13,350.00 Azure virtual network gateway Auth Bypass Unauthorized Access 32235 $13,000.00 Federated identity impersonation via SAML IdP Elevation of privileges 32377 Double Unicode decoding in URL redirection. 31586 $12,000.00 XSS in OAuth2 authorization 32583 Embedded password in Azure Stack VHD Information Disclosure 32635 $ 10,000.00 Open redirection bypass (%80 char) Spoofing

15 VNet Point to Site Auth Bypass
MSRC : Azure VNet Gateway Auth bypass Azure VNet (Virtual Network) is your cloud based, logical network. Your IP ranges, DNS servers, … OnPrem connectivity using VNet Gateway over Secure Socket Tunneling Protocol (SSTP) Specially crafted sequence of SSTP EAP-TLS messages during connection setup. Tunnel TLS traffic over 443/tcp Control packets within HTTPS session to setup SSTP state. Gives access to virtual network, no credentials needed. $13k+ bug bounty paid

16 Token leaking MSRC 32377 : Token theft in redirect URL
URL encoding, convert %XX to corresponding character. -> This is seen as username to log in to domain Evildomain.net will get the token, not account.windowsazure.com $13k bug bounty paid

17 OAuth Authorization XSS
MSRC : XSS On OAuth authorization page. Application name didn’t filter JS properly (MyApp) Could initiate DOM actions (such as a button click). Login with Authorize MyApp to access: - account, … Welcome Michael!  OAuth Provider Yes No Yes $12k bug bounty paid

18 Blind Stored XSS MSRC 33555 : datamarket.azure.com XSS vulnerability
Used by backend engineers “Pingback” to custom burpsuite domain. javascript%3a%2f*<%2fscript><svg%2fonload%3d'%2b%2f"%2f%2b%2fonmouseover%3d1%2f%2b%2f[*%2f[]%2f%2b((new(Image)).src%3d([]%2b%2f\%2fue73s5anaf53xull8bw0\.burpcollaborator.net%2f).replace(%2f\\%2fg%2c[]))%2f%2f'> <svg/onmouseover=1/+/[*/[]/+((new(Image)).src=([]+/\/ue73s5anaf53xull8bw0\.burpcollaborator.net/).replace(/\\/g,[]))//'> $2k bug bounty paid

19 Insecure links MSRC 33238 : HTTP links on account.microsoft.com
On secure https pages, some hyperlinks have a hardcoded scheme as “ links, rather than “ or “//” schemes. Man in The Middle could redirect traffic flow $500 bug bounty paid

20 Online Services Bug Bounty Program
2/16/2018 Online Services Bug Bounty Program Security Vulnerability Types XSS CSRF Authentication vulnerabilities Privilege escalation Injection Vulnerabilities Insecure direct object reference Unauthorized cross tenant access or tampering Server-side code execution Significant security misconfiguration The highest bounties can be earned on: Authentication Vulnerabilities – Oauth, SAML 2.0 related bugs Privilege Escalations XSS and CSRF (on high traffic, high impact sites) This slide gives an overview of the payouts on our services bugs. Focusing on the bugs marked in orange lead to the highest payouts – with the double bounties – generally $30K We award bounties based on where the bug falls in the CVSS scale Talk about double bounties. To get the highest paid bugs, we looked at all O365 and Azure bugs paid since 2014 and authentication type bugs, reap the highest rewards For additional information about this program: © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21 In-Scope Domains *.onedrive.live.com *.onedrive.com login.windows.net
login.microsoftonline.com login.live.com portal.azure.com manage.windowsazure.com account.windowsazure.com blog.azure.com portal.office.com outlook.office365.com outlook.office.com *.outlook.com *.sharepoint.com (excluding user-generated content) *.lync.com *.officeapps.live.com *.sway.com *.storage.live.com *.skyapi.live.net *.apis.live.net *.settings.live.net *.policies.live.net api.yammer.com management.azure.com management.core.windows.net graph.windows.net *.passwordreset.microsoftonline.com account.activedirectory.windowsazure.com syncfabric.windowsazure.com provisioningapi.microsoftonline.com enterpriseregistration.windows.net adminwebservice.microsoftonline.com credential.activedirectory.windowsazure.com reportingservice.activedirectory.windowsazure.com *.remoteapp.windowsazure.com

22 In-Scope Domains (continued)
<Tenant>.scm.azurewebsites.net (excluding user-generated content) <Tenant>.ftp.azurewebsites.net (excluding user-generated content) <Tenant>.batch.core.windows.net (excluding user-generated content) <Tenant>.batchapps.core.windows.net (excluding user-generated content) <Tenant>.trafficmanager.net (excluding user-generated content) <Tenant>.media.windows.net (excluding user-generated content) <Tenant>.azure-mobile.net (excluding user-generated content) <Tenant>.task.core.windows.net (excluding user-generated content) <Tenant>.watask.core.windows.net (excluding user-generated content) <Tenant>.workflow.windows.net (excluding user-generated content) <Tenant>.biztalk.windows.net (excluding user-generated content) <Tenant>.servicebus.windows.net (excluding user-generated content) <Tenant>.vault.azure.net (excluding user-generated content) <Tenant>.blob.core.windows.net (excluding user-generated content) <Tenant>.table.core.windows.net (excluding user-generated content) <Tenant>.queue.core.windows.net (excluding user-generated content) <Tenant>.files.core.windows.net (excluding user-generated content) List available on :

23 Bug Bounty Out-Of-Scope
Out of scope domains* User generated content Testing outside of your own tenant Any kinds of Denial of Service testing High volume scanning Moving beyond “Proof of concept” Abusing gathered credentials Phishing / Social engineering attacks

24 Rewarding scheme CVSS 3 Score to calculate bounty Impacted targets
CVSS Score, inclusive of "environment" score Bounty Payout 1 $500 2 3 4 5 6 7 8 9 10 $15,000 CVSS 3 Score to calculate bounty Impacted targets Bug affects users in same tenant or across tenants? All users? Bounty: Cash payout + MSDN Credits + Azure Credits

25 Horizontal Abuse vs Vertical Abuse
Horizontal Abuse : Access others’ resources Vertical Abuse : Privilege escalation, authentication bypass Privilege level Fabric Admin Tenant Admin Tenant Admin App Admin App Admin App Admin User A User B User C User D User E User F Anonymous users

26 Get cracking (no pun intended)
Azure offers: Visual Studio / MSDN Subscription $150 Azure credits / month Free for one month ($200 credit) 14 VM’s, 40 SQL DB’s, 8TB of storage, … Redis caches, machine learning, Azure Active Directory Keep going for free: AAD, Machine learning, log analytics, virtual network, web/mobile apps, …

27 So, how to we spin up Azure for testing?

28

29

30

31

32

33 Card won’t be charged, in fact you need to manually enable it.

34

35

36

37

38

39

40

41 The “old” portal, https://manage.windowsazure.com
Also covered in bug bounty

42 Adding users to your tenant.

43 Adding enterprise applications to your tenant, can be done using different channels.

44

45

46

47

48 2/16/2018 7:49 PM Bounties Paid To Date Mitigation Bypass, Bounty for Defense and BlueHat Prize > $600,000 USD Online Services Bug Bounty > $400,000 USD Software Bounties > $200,000 USD We’ve paid over a million dollars in bounties till date The following are the dollars paid out for the bounties. © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

49 Finder Appreciation and Retention (FAR)
2/16/2018 Finder Appreciation and Retention (FAR) BlueHat invitations and speaking opportunities Private Microsoft party invites at various conferences Bountycraft invitations Get hired by Microsoft Unique Opportunities At conferences we award top finders with MSDN licenses, customized Surface Pro laptops, Surface Books and other hardware This will continue to grow Rewards Bounties are offered across a number of Microsoft products Bounty Credit to finders in the form of CVE number attribution, and a formal thanks in the KB articles This will continue Credit Moving on to the next part of the presentation – and this portion focusses on what you get when you report bugs to MSRC CVEs, bulletin acknowledgements and bounties are the more obvious ones in this list In august 2016, during Black Hat, we launched the new conference speaker acknowledgement page. We also offer free software and hardware to researchers who regularly partner with us If you are a prolific researcher who has contributed to the security of our customers, then you will be awarded MSDN based on Microsoft’s discretion Can you put a price to a sentiment. Not really. We sincerely value your partnership and go above and beyond to create custom swag for you We reserved surfaces for the elite researchers. We laser etch them with the bounty logo and your handle. And the best bit is – unique opportunities to directly work with us to make our products secure For more information: © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

50 Making It To The MSRC Top 100 List
2/16/2018 7:49 PM Making It To The MSRC Top 100 List MSRC has 1000s of finders across time Most have reported 1 bug over time Many times the 1 bug was a duplicate A few more have reported 2-3 across time Our top 100 finders report regularly Responsible for most of our critical vulnerabilities Discover 2+ novel security bugs per year Still get regular duplicate reports (internally or externally known) The top 10 have reported LOTS of bugs Spend most of their time looking for bugs Many work for partner companies Others are full-time bug hunters Penetration Testers Professional Bug Bounty hunters The severity, quality and quantity of the bugs you send determine your rank in the MSRC Top 100 © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

51 Now we’re running, what are the rules of the game?
CVD : Coordinated Vulnerability Disclosure Keep customers secure by maintaining the confidentiality of the vulnerability report to MSRC. You can submit exploits to us up to 90 days after sending us the vulnerability and can still claim the full reward If you wish to discuss the vulnerability publically or blog about it, please wait till it has been fixed and patches have been released to customers. Preferably, 30 days after it has been patched. This gives customers enough time to take the patch Never publish any exploit code (please ) We are happy to provide technically review to any talks, white papers or blogs you are publishing

52 Take Action Visit for a current list of active bounties Identify the bounty you want to go after and start hacking away at it Report your findings to Describe the bug and how you exploit it Provide a Proof of Concept (PoC) For complicated bugs (software) provide a white paper or detailed write up If it’s a high quality report, you get larger bounties If it has greater impact to Microsoft, you get larger bounties Give us your name and a good to reach you at Encrypt with our public key (if it’s a PoC or working exploit) For eligible bounty cases, GET PAID!

53 Recap What is the Microsoft bounty programs? High payout bounties
List of targets How to sign up? Where to file bugs? How to become a MSRC top finder? What are the rewards Microsoft offers? CVD

Download ppt "The Microsoft Bounty Program overview"

Similar presentations

David B. Cross Product Unit Manager Microsoft Corporation Session Code: SIA303 Donny Rose Senior Program Manager.

David B. Cross Product Unit Manager Microsoft Corporation Session Code: SIA303 Donny Rose Senior Program Manager.
Azure.

Azure.
The time to address enterprise mobility is now

The time to address enterprise mobility is now
Deployment Planning Services

Deployment Planning Services
A lap around Azure Active Directory Business to Consumer (B2C)

A lap around Azure Active Directory Business to Consumer (B2C)
Data Platform and Analytics Foundational Training

Data Platform and Analytics Foundational Training
PowerApps & Flow Licensing Overview for Partners

PowerApps & Flow Licensing Overview for Partners
Azure AD Application Proxy

Azure AD Application Proxy
Introduction to Windows Azure AppFabric

Introduction to Windows Azure AppFabric
Enterprise Security in Practice

Enterprise Security in Practice
O365 & AZURE ADDS Mladen Baranek, Miadria

O365 & AZURE ADDS Mladen Baranek, Miadria
SaaS Application Deep Dive

SaaS Application Deep Dive
Developing Hybrid Apps on Microsoft Azure Stack

Developing Hybrid Apps on Microsoft Azure Stack
Lessons learned from moving to Microsoft Azure

Lessons learned from moving to Microsoft Azure
Microsoft Virtual Academy

Microsoft Virtual Academy
The power of common identity across any cloud

The power of common identity across any cloud
Secure Remote Access to on-premises Web Apps using Azure AD

Secure Remote Access to on-premises Web Apps using Azure AD
Microsoft Ignite /31/ :08 AM

Microsoft Ignite /31/ :08 AM
Threat Management Gateway

Threat Management Gateway
Live@edu Services Course 9/9/2018 3:37 PM Live@edu Services Course Windows Live SkyDrive Participant Guide © 2008 Microsoft Corporation. All rights reserved.

Services Course 9/9/2018 3:37 PM Services Course Windows Live SkyDrive Participant Guide © 2008 Microsoft Corporation. All rights reserved.

Similar presentations

Ads by Google