Two “dangerous” security vulnerabilities have been identified in Microsoft Azure Bastion and Azure Container Registry that could be exploited to carry out cross-site scripting (XSS) attacks.
“This vulnerability allows unauthorized access to a victim’s session within a compromised Azure service iframe, resulting in unauthorized data access, unauthorized modification, and security breaches in Azure services,” said Lidor Ben Shitrit, a security researcher at Orca. It can lead to serious consequences such as broken iframes.” The report was shared with The Hacker News.
An XSS attack occurs when a threat actor injects arbitrary code into other trusted websites. This code is executed each time an unsuspecting user visits the site.
Two flaws identified by Orca take advantage of weaknesses in postMessage iframes that allow cross-origin communication between Windows objects.
This shortcoming can be exploited to embed an endpoint within a remote server using an iframe tag, ultimately resulting in the execution of malicious JavaScript code, leading to the compromise of sensitive data.
However, to exploit these weaknesses, threat actors can reconnoit various Azure services for missing X-Frame-Options headers or potentially weak Content Security Policy (CSP). I need to identify a vulnerable endpoint embedded within the Azure portal.
“Once an attacker successfully embeds an iframe on a remote server, they start exploiting misconfigured endpoints,” explains Ben Shitrit. “They focus on postMessage handlers that handle remote events such as postMessage.”
By analyzing the canonical postMessage sent from portal.azure to the iframe[.]com, an attacker could craft a suitable payload by embedding a vulnerable iframe on an attacker-controlled server (such as ngrok) and creating a postMessage handler that delivers the malicious payload .
Therefore, when a victim is directed to a compromised endpoint, “a malicious postMessage payload is delivered to the embedded iframe, triggering an XSS vulnerability and executing the attacker’s code within the victim’s context.” ”.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
join the session
A proof of concept (PoC) with Orca has shown that a specially crafted postMessage can interact with the Azure Bastion Topology View SVG Exporter or the Azure Container Registry Quickstart to execute XSS payloads.
After responsibly disclosing the flaws on April 13 and May 3, 2023, Microsoft released security fixes to fix them. No further action is required on the part of the Azure user.
This disclosure comes more than a month after Microsoft implanted three vulnerabilities in its Azure API Management service. These vulnerabilities can be exploited by malicious attackers to gain access to sensitive information and backend services.
