Discovery showed that Microsoft Azure Bastion and Azure Container Registry have two significant security vulnerabilities that could enable cross-site scripting (XSS) attacks. These vulnerabilities, if exploited, could lead to unauthorized access, data breaches, and disruptions in the affected Azure services. Lidor Ben Shitrit, a researcher from Orca Security, reported the findings.
XSS attacks occur when malicious actors inject malicious code into a trusted website, executed when unsuspecting users visit the site. In this case, the vulnerabilities identified by Orca took advantage of a weakness in the postMessage iframe, which facilitates cross-origin communication between Window objects.
Exploiting this weakness would allow threat actors to embed endpoints within remote servers using the iframe tag and execute harmful JavaScript code, potentially compromising sensitive data.
However, it is worth noting that exploiting these vulnerabilities would require threat actors to perform reconnaissance on various Azure services to identify vulnerable endpoints embedded within the Azure portal. These endpoints may have missing X-Frame-Options headers or weak Content Security Policies (CSPs).
Once the attacker successfully embeds the iframe in a remote server, they would focus on the postMessage handler, which handles remote events like postMessages.
Through careful analysis of legitimate postMessages originating from portal.azure[.]com and received by the iframe, malicious actors can create tailored payloads. They achieve this by embedding the compromised iframe into a server under their control, such as ngrok, and setting up a postMessage handler to facilitate the delivery of the malicious payload.
Once a victim accesses the compromised endpoint, the malicious postMessage payload is transmitted to the embedded iframe. As a result, the XSS vulnerability gets triggered, allowing the attacker’s code to execute within the victim’s context. It can lead to various unauthorized activities and potentially compromise the victim’s data and privacy.
Orca demonstrated a proof-of-concept (PoC) where a specially crafted postMessage manipulated the Azure Bastion Topology View SVG exporter or Azure Container Registry Quick Start to execute an XSS payload.
Following the responsible disclosure of the vulnerabilities on April 13 and May 3, 2023, Microsoft promptly addressed the issues by releasing security fixes. As a result, Azure users do not need further action.
It’s worth mentioning that this disclosure was after Microsoft addressed three vulnerabilities in the Azure API Management service, which malicious actors could have exploited to gain unauthorized access to sensitive information or backend services.
