Researchers have disclosed two flaws in Microsoft’s Azure web hosting application service, App Services, which if exploited could enable an attacker to take over administrative servers.
Azure App Services is an HTTP-based service for hosting web applications, and is available in both Microsoft Azure Cloud and on-premise installations. Researchers found two vulnerabilities in the cloud service that specifically affect Linux servers.
“The two vulnerabilities we found allow us to combine them and enable any attacker with the ability to forge post requests (SSRF) or [remote] code execution on an Azure App Service to take over the Azure App Service administration server,” said Paul Litvak, researcher with Intezer, in a Thursday post.
Both flaws were discovered three months ago and reported to Microsoft. Microsoft has since issued a fix. The vulnerabilities do not have CVE assignments.
The first flaw stems from an open-source project called KuduLite within Azure App Services. This Linux project manages the administration page that’s used to register admins into the App Service Plan (to start using App Services a user must first create an App Service Plan).
After discovering that the KuduLite instance’s SSH service uses hardcoded credentials “root:Docker!” to access the application node, researchers were able to log in as root.
“As a reminder, the developers of the App Service KuduLite made sure admins were only able to log into it as a low privileged user, so we knew this was unintended.”
“The user may also choose to let App Services manage the git server, in which case the server will be managed by KuduLite,” said researchers. “The attacker could then add malicious code to the repository to achieve persistence and spread to other instances using the same git server.”
The second flaw exists in the KuduLite API. The issue here stems from the application node being able to send requests to the KuduLite API sans access validation – an error that is especially problematic when considering a web app with an SSRF vulnerability, researchers said.
“An attacker who manages to forge a GET request may access the application node’s file system via the KuduLite VFS API,” said researchers. “This would enable an attacker to easily steal source code and other assets on the application node.”
An attacker who manages to forge a POST request, meanwhile, may achieve remote code execution on the application node via the command API, they said. And, in Windows (where Kudu is used), packets sent from the application node to the manager node are dropped.
These two vulnerabilities can be chained together, since once an attacker achieves code execution with the second vulnerability, they can then exploit the first one. One potential attack vector here is for an attacker to use this flaw to implant a phishing page in what’s supposed to be the SCM web page (as seen in the video below).
Researchers stressed that cloud security is still relatively new, making it essential to research and document new attack surfaces that arise when using these services.
“As a general best practice, runtime cloud security is an important last line of defense and one of the first actions you can to reduce risk, since it can detect malicious code injections and other in-memory threats that take place after a vulnerability has been exploited by an attacker,” they said.
On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.