Two vulnerabilities in Azure Stack that could have resulted in attackers gaining control over cloud servers or accessing client data without authorization were responsibly reported to Microsoft and patched in October and November of 2019. Now, researchers at Check Point have revealed the details of the vulnerabilities and how they could have been exploited if they were known to attackers prior to the patches being applied. The most potentially damaging remote code execution vulnerability, assigned CVE-2019-1372, allowed the complete takeover of servers in the Azure App Service on Azure Stack. Azure App Service is used to create web and mobile apps. An attacker with knowledge of this vulnerability could have used a free Azure Cloud user account to send a specially crafted message that causes the server to run malicious code of their choice in the context of the highest privilege level, NT AUTHORITY/SYSTEM. With SYSTEM level privileges, an attacker could take over the entire server. The other flaw, assigned CVE-2019-1234, allowed attackers using the Microsoft Azure Stack Portal to send an HTTP request without any authentication to steal information from any virtual machine on Azure infrastructure. Researchers demonstrated that exploiting this vulnerability allowed attackers to abuse the “GetVmScreenshot” function to take screenshots of any targeted Virtual Machine. If a user was logged on and interactively using the Azure virtual machine with any sensitive information on the screen at the same time that an attacker used this technique, the result could be damaging.
Note: this post was originally shared on https://squiblydoo.blog/ by a member of the Binary Defense Team. In