Two “malicious” security vulnerabilities have been disclosed in Microsoft Azure Bastion and Azure Container Registry that could be exploited to perform cross-site scripting (XSS) attacks.
“The vulnerability allowed unauthorized access to a victim’s session in a compromised Azure service iframe, which could lead to severe consequences, including unauthorized data access, unauthorized modification, and tampering of Azure service iframes,” security researcher Orca Lidor Ben Shitrit said in a report shared with The Hacker News.
XSS attacks occur when a threat actor injects arbitrary code into a trusted website, which is then executed whenever an unsuspecting user visits the site.
Two of the weaknesses identified by Orca exploit weaknesses in the postMessage iframe, which enables cross-origin communication between Window objects.
However, to exploit this vulnerability, threat actors must perform reconnaissance on different Azure services to select vulnerable endpoints embedded within Azure portals that may be missing. X-Frame-Options headers or a weak Content Security Policy (CSP).
“Once an attacker manages to embed an iframe on a remote server, they proceed to exploit the misconfigured endpoint,” explains Ben Shitrit. “They focused on postMessage handlers, which handle remote events like postMessages.”
By analyzing the legitimate postMessage sent to the iframe from portal.azure(.)com, an adversary can then create a suitable payload by embedding the vulnerable iframe in an actor-controlled server (e.g., ngrok) and create a postMessage handler that sends the malicious payload .
Thus, when the victim is persuaded to visit the compromised endpoint, “a malicious postMessage payload is sent to the embedded iframe, triggering the XSS vulnerability and executing the attacker’s code in the context of the victim.”
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
In a proof-of-concept (PoC) demonstrated by Orca, a custom-built postMessage was found to be able to manipulate an Azure Bastion Topology View SVG exporter or an Azure Container Registry Quickstart to run an XSS payload.
Following the disclosure of the responsible flaw on April 13 and May 3, 2023, Microsoft is rolling out a security fix to remedy it. No further action is required on the part of the Azure user.
The disclosure comes more than a month after Microsoft inserted three vulnerabilities in its Azure API Management service that could be abused by bad actors to gain access to sensitive information or backend services.