A group of experts revealed finding two critical vulnerabilities in App Services, a service managed by Microsoft Azure. Exploiting these flaws would allow threat actors to take control of a Linux administrative server.
In the report, Intezer security experts mention that the faults encountered would allow attackers to gain the ability to falsify publishing requests and even execute remote code in App Service to deploy additional malicious tasks. The two faults were detected a couple of months ago. After receiving the report, Microsoft began working on an update.
The first of the vulnerabilities was detected in KuduLite, an open source project within App Services to manage the administration page used to register App Services administrators. After discovering that the SSH service on the KuduLite instance uses “root: Docker!” encoded credentials to access the application node, experts were able to log in as the root user.
Once they gained control of KuduLite deployment, experts were able to maintain control over the Software Configuration Management (SCM) web server, which is responsible for systematically managing and controlling changes in documents and codes during the web development cycle.
Finally, researchers were able to access a user’s HTTP requests in SCM, add their own requests, and trigger the injection of malicious JavaScript code into the context of a vulnerable site.
On the other hand, the second vulnerability resides in the KuduLite API, and exists because the app node can send requests to access validation without API access, which can cause severe problems if running in a web application vulnerable to SSRF attacks.
If an attacker succeeds in falsifying a POST request, it can achieve remote code execution on the application node through the command API on Linux systems. On Windows systems (where Kudu is used), packets sent from the application node to the administrator node are discarded.
A potential attack requires the two flaws to be exploited together, because when attackers achieve code execution using the second flaw, it is possible to exploit the first one as well. Threat actors could use phishing attacks to exploit these flaws.
He is a cyber security and malware researcher. He studied Computer Science and started working as a cyber security analyst in 2006. He is actively working as an cyber security investigator. He also worked for different security companies. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.