EmojiDeploy bug allows RCE in Microsoft Azure services

February 3, 2023 - TuxCare PR Team

Ermetic researchers discovered EmojiDeploy, a cross-site request forgery (CSRF) bug in Microsoft Azure services that could allow attackers to remotely execute code on affected systems.

According to the company’s blog post, the vulnerability is in the way Azure’s authentication process for its services is handled. An attacker could potentially trick a user into performing actions on their behalf, such as executing code or accessing sensitive information, by exploiting the CSRF bug.

The flaw was discovered during a penetration testing engagement and reported to Microsoft via its bug bounty program. Microsoft has since issued a patch to address the problem.

The bug was discovered by manipulating a series of misconfigurations and security bypasses in Kudu, a back-end source control management (SCM) tool used by major services such as Azure Functions, Azure App Service, and Azure Logic Apps.

EmojiDeploy is the name given to the bug because Kudu is configured by default in a way that makes it vulnerable to cross-site request forgeries. It would allow an actor to create a malicious Domain Name System record that, by using special characters, could bypass an SCM server’s origin checks. The special characters used by the Ermetic researchers to bypass those checks and security controls in this case were “._.”, which looks like an emoji.

The attacker must then locate a vulnerable endpoint in order to deploy a malicious zip file via a browser. An attacker can run code and commands as the www user, steal or delete sensitive data, take over the app’s managed identity, conduct lateral movement across other Azure services, and facilitate future phishing campaigns with a single click.

The vulnerability, according to Ermetic’s researchers, could have serious consequences for organizations that use Azure services, as it could allow attackers to take over entire systems and steal sensitive data. They also warn that the flaw could be especially dangerous for organizations that use Azure to manage critical infrastructure or sensitive data.

“This vulnerability highlights the need for organizations to be vigilant in protecting their systems and to have robust security measures in place,” said Ermetic CEO, Assaf Harel. “It also serves as a reminder that even the most reputable companies are not immune to security vulnerabilities.”

Microsoft has issued a statement saying that they are aware of the vulnerability and have worked to patch it. They have also stated that they have not seen any evidence of the vulnerability being exploited in the wild. They recommend customers to apply the patch as soon as possible and continue to monitor their systems for any suspicious activity.

The sources for this piece include an article in SCMagazine.

Summary