Check Point detailed two recently patched vulnerabilities in Microsoft Azure services that could have allowed hackers to take over cloud services.

Check Point researchers have published technical details of two recently fixed flaws in Microsoft Azure that could have allowed hackers to take over cloud services.

Azure App Service allows users to build and host multi-platform web apps, mobile back ends, and RESTful APIs in the programming language of their choice, without managing infrastructure. It enables automated deployments from GitHub, Azure DevOps, or any Git repo .

The first flaw, tracked as CVE-2019-1234, is a request spoofing issue that affects the Microsoft Azure Stack cloud computing software solution.

A spoofing vulnerability exists when Azure Stack fails to validate certain requests. An attacker who successfully exploited the vulnerability could make requests to internal Azure Stack resources.” reads the security advisory p ublished by Microsoft.

“An attacker could exploit the vulnerability by sending a specially crafted request to the Azure Stack user portal.”

A remote attacker could exploit the flaw to access screenshots and sensitive information of any virtual machine running on Azure infrastructure, even on isolated virtual machines.

Experts explained that the Service Fabric Explorer is a web tool pre-installed in the machine that takes the role of the RP and Infrastructure Control Layer (AzS-XRP01). It allows viewing the internal services which are built as Service Fabric Applications (located in the RP Layer). Trying to access the URLs of the services from the Service Fabric Explorer, experts discovered that some of them don’t require authentication.

The vulnerability is exploitable through Microsoft Azure Stack Portal.

The experts demonstrated that using the API they were able to get the virtual machine name and ID, hardware information , and other info, and then use them with another unauthenticated HTTP request to grab screenshots.

“The GetStringAsync function sends an HTTP GET request to the templateUri and returns the data as JSON. There is no validation on whether the host is internal or external (and it supports IPv6). Therefore, this method is a perfect candidate for SSRF. Although this allows only GET requests, as we’ve seen above, it’s sufficient for accessing the DataService.” reads the advisory p ublished by CheckPoint.

“So let’s use an example. We want to get a screenshot from a machine whose ID is f6789665-5e37-45b8-96d9-7d7d55b59be6 with the 800×600 dimensions:”

The second vulnerability, tracked as CVE-2019-1372, is a remote code execution flaw that affected the Azure App Service on Azure Stack. The vulnerability could be exploited to take complete control over the entire Azure server and consequently take control over an enterprises’ business code.

“A remote code execution vulnerability exists when Azure Stack fails to check the length of a buffer p rior to copying memory to it.” reads the advisory p ublished by Microsoft.

“An attacker who successfully exploited this vulnerability could allow an unprivileged function run by the user to execute code in the context of NT AUTHORITY\system thereby escaping the Sandbox.”

The flaw resides in the way the DWASSVC service, which is responsible for managing and running tenants’ apps and IIS worker processes.

The experts discovered that the Azure Stack did not check the length of a buffer before copying memory to it, this means that an attacker could have exploited the issue by sending a specially crafted message to DWASSVC service that exceeded the buffer dimension. This trick could have allowed the attacker to execute malicious code on the server as the highest NT AUTHORITY/SYSTEM privilege.

“The workerItemSize is calculated to 108 and the workerItem -> dataLength is 0. In this case, the allocation with the size 0 succeeds and then a memcpy is p erformed on the allocated area with the size of 108, resulting in a heap based overflow with controlled content and size!” reads the analysis p ublished by Check Point.

“So how can an attacker send a message to DWASSVC (DWASInterop.dll)? By design, when running the C# Azure function, it runs in the context of the worker (w3wp.exe),” “This lets an attacker the possibility to enumerate the currently opened handles. That way, he can find the already opened named pipe handle and send a specially crafted message.”

Chaining the two flaws, an attacker could create a free user account with Azure Cloud and run malicious functions on it or sending unauthenticated HTTP requests to the Azure Stack user portal.

Both flaws were reported by the Check Point researcher Ronen Shustin last year, and Microsoft awarded the expert with 40,000 USD under its Azure bug bounty program.

Pierluigi Paganini