Intezer announced that the company discovered two vulnerabilities in Microsoft Azure. According to the announcement, vulnerabilities exist in Azure App Services and specifically impacts Linux servers. App Services’ administration page is provided by a Microsoft open-source project called Kudu. For Linux, it’s a lesser-known project called KuduLite.
Vulnerability 1: KuduLite Takeover/EoP
Intezer noticed that the application node’s SSH service uses hardcoded credentials “root:Docker!” to access the application node when investigating webssh connection. The application node’s SSH port is not accessible from the internet so it poses no danger. However, Intezer noticed that earlier the KuduLite instance also ran SSH. Thus when they used the same credentials on the KuduLite instance and they were able to log in as root. It grants complete control over the SCM web server. It also allows listening to HTTP requests to the SCM web page, adding pages, and injecting malicious Javascript into the user’s web page.
Vulnerability 2: Lack of Access Checks in KuduLite
The second vulnerability was found in the KuduLite API. Intezer discovered that the application node sends requests to the KuduLite API without requiring any access validation. This can allow an attacker who manages to forge a GET request accessing the application node’s file system. Thus, the attacker can steal source code and other assets. It also allows forging a POST request to achieve remote code execution on the application node.
Intezer team also stated that,
“Finally, these two vulnerabilities can be chained together, since once an attacker achieves code execution with the second vulnerability, provided they have an SSRF vulnerability, they can exploit the first one. We reached out to Microsoft with our findings as part of the responsive disclosure process and the vulnerabilities were quickly acknowledged and fixed.”