Security researchers have discovered two flaws in Microsoft Azure web hosting app service that could allow an attacker to take over admin server. The two Microsoft Azure flaws specifically impacted Linux servers.
The two of the vulnerabilities existed in the popular cloud service called Azure app services specifically impacting the Linux servers and the enterprise organization that are using the cloud service are under the radar.
Microsoft Azure is an open, flexible cloud platform that enables you to build, deploy and manage apps across a global network of Microsoft-managed datacenters.
Azure app services is an HTTP-based service for hosting web apps and are available in both Microsoft Azure Cloud and on-premise installations.
The two vulnerabilities we found allow us to combine them and enable an attacker with the ability to forge post requests (SSRF) or [remote] code execution on an Azure App Service to take over the Azure App Service administration server,said Paul Litvak
First Microsoft Azure Flaw
The first vulnerability could allow an attacker with access to the server to take over the App Service’s git repository and implant phishing pages accessible through the Azure Portal.
The first vulnerability was discovered in Microsoft open-source project called KuduLite. KuduLite offers the user diagnostic information about the system, including Docker logs, settings, and other environmental information.
While investigating the researchers found the hardcoded credentials “root:Docker!” to access the application node that allowed them to log in as a root user.
As a reminder, the developers of the App Service KuduLite made sure admins were only able to log into it as a low privileged user.
Second Vulnerability( Local File Inclusion and Remote File Inclusion with SSRF)
The second vulnerability resides in the KuduLite API. An attacker who manages to forge a GET request may access the application node’s file system via the KuduLite VFS API.
This would enable an attacker to easily steal source code and other assets on the application node. An attacker who manages to forge a POST request may achieve remote code execution on the application node via the command API.
An attacker can easily take over admin server by combining these vulnerabilities. However, the vulnerability had been reported 3 months ago to Microsoft and Microsoft has fixed the issue.