"Cross-Site Forgery Bug Would Facilitate Remote Code Execution in Microsoft Azure Services"
Researchers at Ermetic discovered and disclosed a Cross-Site Request Forgery (CSRF) flaw impacting multiple Microsoft Azure services. The flaw would allow an attacker to take control of and remotely execute code on the victim's application. The flaw was initially discovered by a security researcher named Liv Matan, who reported it to Microsoft on October 26. It stems from manipulating a series of misconfigurations and security bypasses in Kudu, a back-end Source Control Management (SCM) tool used by major services such as Azure Functions, Azure App Service, and Azure Logic Apps. Using special characters, the vulnerability dubbed "EmojiDeploy" would allow an attacker to build a malicious Domain Name System (DNS) record that can circumvent an SCM server's origin checks. In this case, the Ermetic researchers used special characters resembling an emoji to evade these checks and security protections. The attacker must then discover a vulnerable endpoint in order to launch a malicious zip file via a browser. An attacker can execute code and commands as the www user, steal or delete sensitive data, take over the application's managed identity, move laterally to other Azure services, and facilitate further phishing attacks with a single click. This article continues to discuss the potential exploitation and impact of the CSRF vulnerability.