Hack Azure Bastion and Azure Container Registry through XSS vulnerabilities

Microsoft Azure Bastion and Azure Container Registry have been discovered to have a potentially “dangerous” security flaw that, if exploited, may have resulted in a cross-site scripting (XSS) attack being carried out on the affected service . XSS attacks occur when threat actors insert arbitrary code into an otherwise trusted website. This code is executed every time visitors who are unaware of the attack visit the website.

Both of the vulnerabilities found by Orca use a vulnerability in the post-message iframe, which makes it possible for Windows objects to communicate with each other across domains. The vulnerabilities allowed illegal access to the victim’s session within the iframe of the compromised Azure service. This can result in serious repercussions such as unauthorized access to data, unauthorized tampering, and disruption of Azure service iframes, among other things. This meant that the vulnerability could be exploited to embed endpoints on remote servers using the iframe element. Eventually, this would result in the execution of malicious JavaScript code, which would compromise sensitive data.

However, to exploit these vulnerabilities, a threat actor would first need to perform reconnaissance across various Azure services to identify vulnerable endpoints contained within the Azure interface. These endpoints might be missing X-Frame-Options headers or have inappropriate Content Security Policies (CSPs).

The attacker will continue to exploit the misconfigured endpoint after successfully embedding the iframe on a remote server. They are concentrating on the postMessage handler, which is responsible for handling remote events like postMessages.

The adversary could then build suitable payloads by embedding the vulnerable iframe on a server controlled by an actor (e.g. ngrok) and set up a post-message handler that delivers the malicious payload if they first parsed post-messages sent to the iframe from portal.azure[ .]com and then analyzed subsequent messages sent from portal.azure[.]as in the iframe.

Because of this, when a victim is tricked into visiting the compromised endpoint, the “malicious post-message payload is delivered to the embedded iframe, which triggers the XSS vulnerability and executes the attacker’s code within the victim’s context.” .

During the course of a proof of concept (PoC), it was discovered that a carefully written postMessage could be used to modify the Azure Bastion Topology View SVG exporter or the Azure Container Registry quickstart to perform an XSS payload. .

Cyber ​​security enthusiast. Information security specialist, currently working as a risk infrastructure specialist and researcher.
Experience in risk and control processes, security audit support, COB (business continuity) design and support, work group management and information security standards.

Send news tips to [email protected] or www.instagram.com/iicsorg/.

You can also find us on Telegram www.t.me/noticiasciberseguridad