Critical Microsoft Azure RCE flaw impacted multiple services

Pierluigi Paganini January 19, 2023

Researchers found a new critical remote code execution (RCE) flaw impacting multiple services related to Microsoft Azure.

Researchers from Ermetic found a remote code execution flaw, dubbed EmojiDeploy, that impacts Microsoft Azure services and other cloud services including Function Apps, App Service and Logic Apps.

The issue is achieved through CSRF (Cross-site request forgery) on the ubiquitous SCM service Kudu.

Kudu is the engine behind a number of features in Azure App Service related to source control based deployment, and other deployment methods like Dropbox and OneDrive sync.

An attacker can exploit the flaw to deploy malicious zip archives containing a payload to the victim’s Azure application.

The EmojiDeploy flaw can allow attackers to gain remote code execution and a full takeover of the targeted application. The issue can be exploited to execute command as www users, steal sensitive data, conduct phishing attacks and perform lateral movement to other Azure services.

“The vulnerability enables RCE and full takeover of the target app. The impact of the vulnerability on the organization as a whole depends on the permissions of the applications managed identity.” reads the post published by Ermetic. “Effectively applying the principle of least privilege can significantly limit the blast radius.”

Attackers can exploit the CSRF vulnerability in the Kudu SCM panel to perform cross-origin attacks by issuing a specially crafted request to the “/api/zipdeploy” endpoint. The request contains the malicious zip file encoded as a body and set the Content-Type header to text/plain.

The request is flagged as “standard” by the browser and is accepted, allowing to deliver the malicious archive (i.e. ASPX webshell) and gaining remote access.

“The victim navigates to your payload on your hosted domain with the origin regex bypass – https://victim.scm.azurewebsites.net._.ermetic-research.com./” states the report. “Access the webshell and run code on the victim.”

Below is the timeline for this issue:

October 26, 2022 – The Ermetic research team reports the vulnerability to MSRC
November 2, 2022 – MSRC first response, under review
November 3, 2022 – Microsoft bounty program awards a $30,000 bounty
December 6, 2022 – Microsoft releases a global fix
January 19, 2023 – Ermetic’s public disclosure

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Azure)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment