Intezer Lab announced that they found a new vulnerability in Azure Functions. The vulnerability allows an attacker to escalate privileges and escape the Azure Functions Docker container to the Docker host. According to the announcement, Microsoft has determined that the vulnerability has no security impact on Function users, after an internal assessment. The host is still protected by another defense boundary against the elevated position.
Technical details
Intezer stated that, as the user can upload any code, they used this to gain a foothold over the Function container. With a reverse shell to connect to their control server once the Function was executed, allowing them to operate an interactive shell. When the shell was on the Function, the researchers noticed that they are running as an unprivileged app user in an endpoint. Then they added several tools, including nmap to the Function directory and reuploaded the new package. With nmap they managed to scan the localhost and found multiple open ports.
A privileged process associated with a Mesh binary includes a flaw that can be exploited to grant the app user root permissions. Intezer then reverse-engineered a public Docker image to achieve privilege escalation and finally abused the extended privileges assigned to the container to escape the Docker container and run an arbitrary command on the host.