\n

We created a C# Azure function which loads a native DLL and calls the load function.

\n

\n

The load function brute forces the handles until it finds an open one whose name starts with “iisipm”. Then it constructs the malicious message and sends it immediately. As a result, DWASSVC crashes.

\n

Although we only demonstrated a crash, this vulnerability could be exploited to a privilege escalation.

\n

Impact

\n

Microsoft has various App Service plans:

\n\n

For more information, see: https://docs.microsoft.com/en-us/azure/app-service/overview-hosting-plans

\n

 

\n

Exploiting this vulnerability in all of the plans could allow us to compromise Microsoft’s App Service infrastructure. However, exploiting it specifically on a Free/Shared plan could also allow us to compromise other tenant apps, data, and accounts! Thus breaking the security model of App Service.

\n

Conclusion

\n

The cloud is not a magical place. Although it is considered safe, it is ultimately an infrastructure that consists of code that can have vulnerabilities – just as we demonstrated in this article.

\n

This vulnerability was disclosed and fixed by Microsoft and assigned as CVE-2019-1372.
\nMicrosoft acknowledged that this vulnerability worked on Azure Cloud and Azure Stack

\n","status":"PUBLISHED","fileName":null,"link":"https://research.checkpoint.com/2020/remote-cloud-execution-critical-vulnerabilities-in-azure-cloud-infrastructure-part-ii/","tags":[],"score":0.32615935802459717,"topStoryDate":null}],"mapData":null,"topMalwareFamilies":null};