I was able to access thousands of companies’ passwords on #Azure and run code on their VMs.
This includes access to Microsoft’s own credentials… 💣
Here’s HOW I did it.
This is the story of #SynLapse. (1/11)
Looking at the Microsoft Azure bounty program, I noticed that “cross-tenant data leakage” in @azuresynapse is regarded as a high-impact scenario ❗️
The service queries data imported from customer sources (MySQL, CosmosDB, Amazon S3...)
How do you define a data source? (2/11)
1. Create a new “Linked Service”. 2. Select a platform, e.g. MySQL. 3. Choose an “integration runtime” (the machine that imports the data), either your own or the shared default one called “AutoResolveIntegrationRuntime”.
And then… you just type in your credentials 🔑 (3/11)
Well, you can install this “integration runtime” software on your own computer.
So I did.
I researched the connectors.
Found a shell injection (CVE-2022-29972) in the Amazon Redshift connector.
Then used this RCE to run code on Azure’s default shared integration runtime. (4/11)
This should stop here.
A sandbox would be in place to isolate different customers and their credentials.
I should also only have very low permissions.
Well, it SHOULD stop here. Unfortunately… (5/11)
I was running as SYSTEM.
I took a memory dump of the exploited process.
It contained my credentials.
It also contained credentials for multiple other companies’ data.
One token was for Microsoft’s own data analytics service.
And this was only a dump on ONE endpoint 🤯 (6/11)
I kept digging, and found evidence of an internal management server:
A URL, and a client certificate.
This server exposed an API for querying other customer workspaces.
It allowed me to take FULL control over any customer’s Azure Synapse workspace 😈 (7/11)
Using this API, you can also tell an integration runtime to connect to any data source.
Sounds familiar? (Hint: Redshift)
API access + RCE =>
Every integration runtime in the palm of my hands ☠️
INCLUDING ACCESS TO OTHER CUSTOMER CREDENTIALS (8/11)
MSRC took over 4 months to fix the root cause,
and awarded this issue a $60,000 #BugBounty.
So… What were the key mistakes? (9/11)
1. Sandboxes: they exist for a reason. 2. Why would a shared runtime have management credentials to the server managing EVERY runtime?
I was able to access #Azure user credentials and run code on other customers’ machines.
The vulnerability is called #SynLapse.
It was a vulnerability in Azure Synapse Analytics (@Azure_Synapse) & Azure Data Factory, exploiting a major flaw in the tenant separation.
(1/3)
Through access to an internal API server I was able to:
- Obtain access to other customers’ Synapse workspaces
- Perform API operations like adding/deleting resources
- Run code on their service machines
- Most importantly: leak all credentials they stored in the service.
(2/3)
This blog is an advisory surrounding this issue, where the root attack vector was patched and assigned CVE-2022-29972.
>>> Technical details soon.
>>> Microsoft’s blog is in the comments.