0

just in short. I was playing around a Azure AppService as I wanted to know how secure it is.

I have discovered it is possible (using the regularly deployed application) to write to complete d:\home folder where also the wwwroot and bin folder are placed. Moreover, it is possible to execute written files, such as scripts or binary code (inside dlls) placed under wwwroot over the web, anonymously. Everything is of course limited with the sandbox and permissions of the user under which the IIS (application pool) is running. However, executed code has the same permissions as the application so it is possible to i.e. read/write D:\home, read d:\local, access key vault, access all kind of databases... everything like this anonymously over the internet (impersonated to the account under which the IIS is running).

Of course, in the real world, I assume the vulnerable application is installed and allows to deploy the potentially malicious code there. This can be also a feature of the application (like simple app management for admins).

I have evaluated it as OWASP2010/2013/2017 A.5 configuration vulnerability. Additionally, I have calculated CVSS score as 9.0 (its not possible to take control over the underlying infrastructure as OS or network, otherwise it would be 10).

Would you evaluate this in the same way as I did? i would appreciate answers from people involved in IS, ideally ethical hackers.

If you want to see more you can check here.

Fis
  • 1,200
  • 7
  • 10
  • What is the reason for downvotes? – Fis May 26 '17 at 12:21
  • 1
    The "account under which the IIS is running" has no access to databases or other PaaS services like key vault... – BenV May 30 '17 at 21:27
  • But the account has access to resources where such information is stored. It can read everything from D:\Local and D:\Home. Moreover, it can write everywhere to D:\home. In other words, the malicious application deployed using the vulnerable application has completely the same permissions as the regular application do. – Fis May 30 '17 at 22:12
  • Forgot to mention, the malicious app is also using same configs. I.e. applicationhost and webconfig, phpconfig and others. – Fis May 30 '17 at 22:19
  • I think it's a tough call. As a service, they have to try and anticipate everyones needs (writing logs, overwriting files, updating images, etc). Who knows what people create. I agree in general that the IIS AppPool User shouldn't be able to write to wwwroot, but AppData directories exist under there. I wouldn't rate this a 9. – CtrlDot Jul 25 '17 at 19:50

0 Answers0