I was able to access thousands of companies’ passwords on #Azure and run code on their VMs.
This includes access to Microsoft’s own credentials… 💣
Here’s HOW I did it.
This is the story of #SynLapse. (1/11)
This includes access to Microsoft’s own credentials… 💣
Here’s HOW I did it.
This is the story of #SynLapse. (1/11)
Looking at the Microsoft Azure bounty program, I noticed that “cross-tenant data leakage” in @azuresynapse is regarded as a high-impact scenario ❗️
The service queries data imported from customer sources (MySQL, CosmosDB, Amazon S3...)
How do you define a data source? (2/11)
The service queries data imported from customer sources (MySQL, CosmosDB, Amazon S3...)
How do you define a data source? (2/11)
1. Create a new “Linked Service”.
2. Select a platform, e.g. MySQL.
3. Choose an “integration runtime” (the machine that imports the data), either your own or the shared default one called “AutoResolveIntegrationRuntime”.
And then… you just type in your credentials 🔑 (3/11)
2. Select a platform, e.g. MySQL.
3. Choose an “integration runtime” (the machine that imports the data), either your own or the shared default one called “AutoResolveIntegrationRuntime”.
And then… you just type in your credentials 🔑 (3/11)
Well, you can install this “integration runtime” software on your own computer.
So I did.
I researched the connectors.
Found a shell injection (CVE-2022-29972) in the Amazon Redshift connector.
Then used this RCE to run code on Azure’s default shared integration runtime. (4/11)
So I did.
I researched the connectors.
Found a shell injection (CVE-2022-29972) in the Amazon Redshift connector.
Then used this RCE to run code on Azure’s default shared integration runtime. (4/11)
This should stop here.
A sandbox would be in place to isolate different customers and their credentials.
I should also only have very low permissions.
Well, it SHOULD stop here. Unfortunately… (5/11)
A sandbox would be in place to isolate different customers and their credentials.
I should also only have very low permissions.
Well, it SHOULD stop here. Unfortunately… (5/11)
I was running as SYSTEM.
I took a memory dump of the exploited process.
It contained my credentials.
It also contained credentials for multiple other companies’ data.
One token was for Microsoft’s own data analytics service.
And this was only a dump on ONE endpoint 🤯 (6/11)
I took a memory dump of the exploited process.
It contained my credentials.
It also contained credentials for multiple other companies’ data.
One token was for Microsoft’s own data analytics service.
And this was only a dump on ONE endpoint 🤯 (6/11)
I kept digging, and found evidence of an internal management server:
A URL, and a client certificate.
This server exposed an API for querying other customer workspaces.
It allowed me to take FULL control over any customer’s Azure Synapse workspace 😈 (7/11)
A URL, and a client certificate.
This server exposed an API for querying other customer workspaces.
It allowed me to take FULL control over any customer’s Azure Synapse workspace 😈 (7/11)
Using this API, you can also tell an integration runtime to connect to any data source.
Sounds familiar? (Hint: Redshift)
API access + RCE =>
Every integration runtime in the palm of my hands ☠️
INCLUDING ACCESS TO OTHER CUSTOMER CREDENTIALS (8/11)
Sounds familiar? (Hint: Redshift)
API access + RCE =>
Every integration runtime in the palm of my hands ☠️
INCLUDING ACCESS TO OTHER CUSTOMER CREDENTIALS (8/11)
MSRC took over 4 months to fix the root cause,
and awarded this issue a $60,000 #BugBounty.
So… What were the key mistakes? (9/11)
and awarded this issue a $60,000 #BugBounty.
So… What were the key mistakes? (9/11)
1. Sandboxes: they exist for a reason.
2. Why would a shared runtime have management credentials to the server managing EVERY runtime?
Microsoft eventually fixed both.
(10/11)
2. Why would a shared runtime have management credentials to the server managing EVERY runtime?
Microsoft eventually fixed both.
(10/11)
(11/11) Read the full technical details here >
orca.security/resources/blog…
orca.security/resources/blog…
• • •
Missing some Tweet in this thread? You can try to
force a refresh
