Check Point researchers have published technical details of two recently fixed flaws in Microsoft Azure that could have allowed hackers to take over cloud services.
The first flaw, tracked as CVE-2019-1234, is a request spoofing issue that affects the Microsoft Azure Stack cloud computing software solution.
A spoofing vulnerability exists when Azure Stack fails to validate certain requests. An attacker who successfully exploited the vulnerability could make requests to internal Azure Stack resources.” reads the security advisory p
“An attacker could exploit the vulnerability by sending a specially crafted request to the Azure Stack user portal.”
A remote attacker could exploit the flaw to access screenshots and sensitive information of any virtual machine running on Azure infrastructure, even on isolated virtual machines.
Experts explained that the Service Fabric Explorer is a web tool pre-installed in the machine that takes the role of the RP and Infrastructure Control Layer (AzS-XRP01). It allows viewing the internal services which are built as Service Fabric Applications (located in the RP Layer). Trying to access the URLs of the services from the Service Fabric Explorer, experts discovered that some of them don’t require authentication.
The vulnerability is exploitable through Microsoft Azure Stack Portal.
The experts demonstrated that using the API they were able to get the virtual machine name and ID,
“The GetStringAsync function sends an HTTP GET request to the
“So let’s use an example. We want to get a screenshot from a machine whose ID is f6789665-5e37-45b8-96d9-7d7d55b59be6 with the 800×600 dimensions:”
The second vulnerability, tracked as CVE-2019-1372, is a remote code execution flaw that affected the Azure App Service on Azure Stack. The vulnerability could be exploited to take complete control over the entire Azure server and consequently take control over an enterprises’ business code.
“A remote code execution vulnerability exists when Azure Stack fails to check the length of a buffer p
“An attacker who successfully exploited this vulnerability could allow an unprivileged function run by the user to execute code in the context of NT AUTHORITY\system thereby escaping the Sandbox.”
The flaw resides in the way the DWASSVC service, which is responsible for managing and running tenants’ apps and IIS worker processes.
The experts discovered that the Azure Stack did not check the length of a buffer before copying memory to it, this means that an attacker could have exploited the issue by sending a specially crafted message to DWASSVC service that exceeded the buffer dimension. This trick could have allowed the attacker to execute malicious code on the server as the highest NT AUTHORITY/SYSTEM privilege.
“So how can an attacker send a message to DWASSVC (DWASInterop.dll)? By design, when running the C# Azure function, it runs in the context of the worker (w3wp.exe),” “This lets an attacker the possibility to enumerate the currently opened handles. That way, he can find the already opened named pipe handle and send a specially crafted message.”
Chaining the two flaws, an attacker could create a free user account with Azure Cloud and run malicious functions on it or sending
Both flaws were reported by the Check Point researcher Ronen Shustin last year, and Microsoft awarded the expert with 40,000 USD under its Azure bug bounty program.