Cybersecurity researcher Paul Litvak from Intezer Lab disclosed an unpatched vulnerability in Microsoft Azure Functions that could be exploited by an attacker to escalate privileges and escape the Docker container that hosts them.
The experts with his colleagues was investigating the Azure compute infrastructure.
“We found a new vulnerability in Azure Functions, which would allow an attacker to escalate privileges and escape the Azure Functions Docker container to the Docker host.” reads the post published by Intezer Lab.
“After an internal assessment Microsoft has determined that the vulnerability has no security impact on Function users as the Docker host itself is protected by a Hyper-V boundary. “
Azure Functions is an event-driven, compute-on-demand experience that extends the existing Azure application platform with capabilities to implement code triggered by events occurring in Azure or third party service as well as on-premises systems.
Azure Functions can be triggered by HTTP requests and run for only a few minutes, just in time to handle the event. The user’s code is run on an Azure-managed container and served without requiring the user to manage their own infrastructure. The experts discovered that the code is not segmented securely and could be abused to escape to access the underlying environment.
The experts created an HTTP trigger to gain a foothold over the Function container, then they wrote a reverse shell to connect to their server once the Function was executed in order to operate an interactive shell.
The researchers noticed that they were running as a unprivileged ‘app’ user in an endpoint with a ‘SandboxHost’ hostname, so they used the container to find sockets belonging to processes with “root” privileges.
“We created a demonstration of the vulnerability—mimicking an attacker having execution on Azure Functions and escalating privileges to achieve a full escape to the Docker host.” continues the post.
The researchers found three privileged processes with an open port, a NGINX without known vulnerabilities, and MSI and Mesh processes.
Intezer found a flaw in the “Mesh” process that could be exploited to escalating to root within the container.
In the last phase of the attack, the experts extended privileges assigned to the container to escape the Docker container and run an arbitrary command on the host.
The experts published a PoC exploit code to set up a reverse shell with the squashfs to escalate privileges in Azure Function, and escape the Docker environment.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Microsoft)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.