Cloud bug condensed
Researchers have documented how they discovered a critical vulnerability on the Microsoft Azure Cloud infrastructure.
Code sanitization shortcomings posed a remote cloud execution risk in the Azure App Service before Microsoft addressed the problem last October.
Microsoft acknowledged that the flaw was exploitable via Azure Cloud and Azure Stack.
A write-up from Check Point Research details the flaw’s discovery and provides an insight on Azure’s internals while offering a salutary lesson that security in cloud infrastructure systems shouldn’t be taken for granted.
The vulnerability, CVE-2019-1372, arose because the Azure Stack failed to check the length of a buffer prior to copying memory to it, creating a sandbox escape and remote code execution (RCE) risk in the process.
“An attacker who successfully exploited this vulnerability could allow an unprivileged function run by the user to execute code in the context of NT AUTHORITY\system thereby escaping the Sandbox,” Microsoft’s advisory explains.
Patches issued by Microsoft resolve the vulnerability by ensuring that Azure Stack sanitizes user inputs.
No hostile abuse of the vulnerability was recorded prior to its resolution, according to Microsoft.
Breaking the security model
Ronen Shustin, security researcher at Check Point, goes through the architecture and attack vectors against Azure App Service in explaining how he discovered the flaw in one of its components.
Shustin explains how he found the vulnerability in DWASSVC, a service that is responsible for managing and running tenant applications.
The security bug was uncovered using Process Explorer (from the SysInternals Suite) to examine running processes and trace their execution.
Shustin found that a certain command line used for inter process communication allowed an attacker to send a specially crafted message in order to exploit the vulnerability.
“The load function brute forces the handles until it finds an open one whose name starts with iisipm,” Shustin said.
“Then it constructs the malicious message and sends it immediately. As a result, DWASSVC crashes.”
Although Shustin only demonstrated a crash, the same vulnerability could be exploited to achieve privilege escalation and worse, the security researcher argues.
Shustin concludes: “Exploiting this vulnerability in all of the plans could allow us to compromise Microsoft’s App Service infrastructure.
“However, exploiting it specifically on a Free/Shared plan could also allow us to compromise other tenant apps, data, and accounts! Thus breaking the security model of App Service.”
Uncharted territory
Cloud security expert Laura Kankaala, a security researcher at Detectify, told The Daily Swig that Check Point’s research highlighted an uncharted but potentially fruitful area of exploration.
“Heap based memory vulns can be tricky to spot in blackbox scenario, but they have serious implications,” she explained.
“In cloud infrastructure, memory vulns are semi rare (at least for now), but I feel it’s still somewhat of an uncharted territory.
“[It’s] definitely something for researchers to look into.”
YOU MIGHT ALSO LIKE CacheOut vulnerability hype comes under fire