Microsoft Azure Flaws Open Admin Servers to Takeover

Microsoft Azure bugs admin servers

Two flaws in Microsoft’s cloud-based Azure App Services could have allowed server-side forgery request (SSFR) and remote code-execution attacks.

Researchers have disclosed two flaws in Microsoft’s Azure web hosting application service, App Services, which if exploited could enable an attacker to take over administrative servers.

Azure App Services is an HTTP-based service for hosting web applications, and is available in both Microsoft Azure Cloud and on-premise installations. Researchers found two vulnerabilities in the cloud service that specifically affect Linux servers.

“The two vulnerabilities we found allow us to combine them and enable any attacker with the ability to forge post requests (SSRF) or [remote] code execution on an Azure App Service to take over the Azure App Service administration server,” said Paul Litvak, researcher with Intezer, in a Thursday post.

Threatpost Webinar Promo Retail Security

Click to Register!

Both flaws were discovered three months ago and reported to Microsoft. Microsoft has since issued a fix. The vulnerabilities do not have CVE assignments.

KuduLite Bugs

The first flaw stems from an open-source project called KuduLite within Azure App Services. This Linux project manages the administration page that’s used to register admins into the App Service Plan (to start using App Services a user must first create an App Service Plan).

After discovering that the KuduLite instance’s SSH service uses hardcoded credentials “root:Docker!” to access the application node, researchers were able to log in as root.

“As a reminder, the developers of the App Service KuduLite made sure admins were only able to log into it as a low privileged user, so we knew this was unintended.”

After taking control of the KuduLite instance, researchers could then gain control over the Software Configuration Management (SCM) web server, which systematically manages and controls changes in the documents and codes during the Software Development Life Cycle. This allowed them to then listen to a user’s HTTP requests to the SCM web page, add their own pages and inject malicious Javascript into the user’s web page.

“The user may also choose to let App Services manage the git server, in which case the server will be managed by KuduLite,” said researchers. “The attacker could then add malicious code to the repository to achieve persistence and spread to other instances using the same git server.”

The second flaw exists in the KuduLite API. The issue here stems from the application node being able to send requests to the KuduLite API sans access validation – an error that is especially problematic when considering a web app with an SSRF vulnerability, researchers said.

“An attacker who manages to forge a GET request may access the application node’s file system via the KuduLite ​VFS API,” said researchers. “This would enable an attacker to easily steal source code and other assets on the application node.”

An attacker who manages to forge a POST request, meanwhile, may achieve remote code execution on the application node via the ​command API​, they said. And, in Windows (where Kudu is used), packets sent from the application node to the manager node are dropped.

These two vulnerabilities can be chained together, since once an attacker achieves code execution with the second vulnerability, they can then exploit the first one. One potential attack vector here is for an attacker to use this flaw to implant a phishing page in what’s supposed to be the SCM web page (as seen in the video below).

Researchers stressed that cloud security is still relatively new, making it essential to research and document new attack surfaces that arise when using these services.

“As a general best practice, runtime cloud security is an important last line of defense and one of the first actions you can to reduce risk, since it can detect malicious code injections and other in-memory threats that take place after a vulnerability has been exploited by an attacker,” they said.

On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.

Suggested articles

Discussion

  • aLinuxGuy on

    It’s scary when I hear major corporations selecting Azure over AWS. AWS has been around for years and have proven themselves in the real production environments. Lazy MS techs are a big reason why big corporations select Azure, in my opinion a disaster waiting to happen. Just look at all ransomwares, there’s a lazy MS tech behind that
  • checkyourfacts on

    First of all, your article headline is super miss leading. Its not an Azure flaw. If your app service is running in http, then that is because YOU configured it as http. So the person who configured the app is the flaw, not Azure.

Leave A Reply to aLinuxGuy Cancel Reply

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.